Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EEghgCvQUy.exe

Overview

General Information

Sample name:EEghgCvQUy.exe
renamed because original name is a hash value
Original sample name:e3ef14a268039e14d8e20d2cddf143fb437dd4ac2caa450d179d6903fe513eac.exe
Analysis ID:1565800
MD5:77907d53bc3d8c4abf7d4596972842b0
SHA1:1e6ccbbb242c3119a5861a9e745660080fb0f78e
SHA256:e3ef14a268039e14d8e20d2cddf143fb437dd4ac2caa450d179d6903fe513eac
Tags:172-86-76-228exeuser-JAMESWT_MHT
Infos:

Detection

DanaBot
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
AI detected suspicious sample
May use the Tor software to hide its network traffic
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • EEghgCvQUy.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\EEghgCvQUy.exe" MD5: 77907D53BC3D8C4ABF7D4596972842B0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1654188859.00007FF4FC890000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000003.1654659679.00007FF4FCAB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          Process Memory Space: EEghgCvQUy.exe PID: 7436JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-30T21:03:07.734492+010020344651Malware Command and Control Activity Detected192.168.2.449915172.86.76.246443TCP
            2024-11-30T21:03:07.762236+010020344651Malware Command and Control Activity Detected192.168.2.449916104.194.143.5443TCP
            2024-11-30T21:03:07.799893+010020344651Malware Command and Control Activity Detected192.168.2.449917104.194.148.11443TCP
            2024-11-30T21:03:07.824539+010020344651Malware Command and Control Activity Detected192.168.2.449918172.86.76.246443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: EEghgCvQUy.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: EEghgCvQUy.exeReversingLabs: Detection: 44%
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.1654659679.00007FF4FCAB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EEghgCvQUy.exe PID: 7436, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031D6FA0 CryptImportKey,0_2_031D6FA0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031D6FC0 CryptVerifySignatureW,0_2_031D6FC0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_00413990 FindFirstFileW,FindClose,0_2_00413990
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02B95C90 FindFirstFileW,FindClose,0_2_02B95C90
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_63086040 _errno,_errno,FindNextFileW,WideCharToMultiByte,calloc,calloc,MultiByteToWideChar,FindFirstFileW,free,free,free,_errno,malloc,strcpy,strlen,_errno,strcpy,strlen,free,free,_errno,_errno,WideCharToMultiByte,0_2_63086040
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.4:49916 -> 104.194.143.5:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.4:49918 -> 172.86.76.246:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.4:49917 -> 104.194.148.11:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.4:49915 -> 172.86.76.246:443
            Source: Joe Sandbox ViewIP Address: 172.86.76.246 172.86.76.246
            Source: Joe Sandbox ViewIP Address: 104.194.148.11 104.194.148.11
            Source: Joe Sandbox ViewIP Address: 104.194.143.5 104.194.143.5
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
            Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.143.5
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 104.194.148.11
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: unknownTCP traffic detected without corresponding DNS query: 172.86.76.246
            Source: EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: EEghgCvQUy.exe, EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: EEghgCvQUy.exe, EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: EEghgCvQUy.exeString found in binary or memory: http://www.openssl.org/
            Source: EEghgCvQUy.exe, 00000000.00000002.3539806536.000000006E46B000.00000040.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000003.1662154280.00007FF4FCB1B000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000003.1659479540.00007FF4FCC5F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
            Source: EEghgCvQUy.exe, 00000000.00000003.1659479540.00007FF4FCC38000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: EEghgCvQUy.exe, 00000000.00000003.1659479540.00007FF4FCC38000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: EEghgCvQUy.exe, 00000000.00000002.3517531700.0000000000B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: EEghgCvQUy.exe, 00000000.00000002.3517531700.0000000000B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: EEghgCvQUy.exe, 00000000.00000002.3517531700.0000000000B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
            Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031DB300 GetSystemMetrics,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SetStretchBltMode,StretchBlt,DeleteObject,DeleteDC,GetDIBits,DeleteObject,ReleaseDC,DeleteDC,0_2_031DB300

            E-Banking Fraud

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.1654659679.00007FF4FCAB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EEghgCvQUy.exe PID: 7436, type: MEMORYSTR
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031D6FA0 CryptImportKey,0_2_031D6FA0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_004134600_2_00413460
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031DC1E00_2_031DC1E0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02B957600_2_02B95760
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_03206FE00_2_03206FE0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031DBD100_2_031DBD10
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031E02700_2_031E0270
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02D067200_2_02D06720
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031F2B800_2_031F2B80
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02BCC8700_2_02BCC870
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031948300_2_03194830
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02BB49900_2_02BB4990
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031E5F800_2_031E5F80
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031F1EC00_2_031F1EC0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031AFD700_2_031AFD70
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_03137C900_2_03137C90
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_630892000_2_63089200
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_6308AA700_2_6308AA70
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_630860400_2_63086040
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_6308A0500_2_6308A050
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_630820A00_2_630820A0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_63087F400_2_63087F40
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_631D3E500_2_631D3E50
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_63163D800_2_63163D80
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 02B9E130 appears 31 times
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 031E3FC0 appears 413 times
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 02B900D0 appears 31 times
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 63082570 appears 87 times
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 03193F30 appears 40 times
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 6314AA90 appears 46 times
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 63082CB0 appears 41 times
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: String function: 02B8FF30 appears 236 times
            Source: EEghgCvQUy.exeBinary or memory string: OriginalFilename vs EEghgCvQUy.exe
            Source: EEghgCvQUy.exe, 00000000.00000002.3539806536.000000006E46B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs EEghgCvQUy.exe
            Source: EEghgCvQUy.exe, 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs EEghgCvQUy.exe
            Source: EEghgCvQUy.exe, 00000000.00000002.3533199806.000000000348E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs EEghgCvQUy.exe
            Source: EEghgCvQUy.exe, 00000000.00000003.1662154280.00007FF4FCB1B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs EEghgCvQUy.exe
            Source: EEghgCvQUy.exe, 00000000.00000003.1659479540.00007FF4FCC5F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs EEghgCvQUy.exe
            Source: classification engineClassification label: mal92.phis.troj.spyw.evad.winEXE@1/8@0/3
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031371A0 StartServiceCtrlDispatcherW,0_2_031371A0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031371A0 StartServiceCtrlDispatcherW,0_2_031371A0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile created: C:\Users\user\AppData\Local\Temp\AawrtreroswweJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: EEghgCvQUy.exe, EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: EEghgCvQUy.exe, EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: EEghgCvQUy.exe, EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: EEghgCvQUy.exe, 00000000.00000003.1734316736.0000000004550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: EEghgCvQUy.exeReversingLabs: Detection: 44%
            Source: EEghgCvQUy.exeString found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
            Source: EEghgCvQUy.exeString found in binary or memory: set-addPolicy
            Source: EEghgCvQUy.exeString found in binary or memory: -addr
            Source: EEghgCvQUy.exeString found in binary or memory: -start
            Source: EEghgCvQUy.exeString found in binary or memory: id-cmc-addExtensions
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: EEghgCvQUy.exeStatic file information: File size 3536896 > 1048576
            Source: EEghgCvQUy.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x35ee00
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_004032AA push rax; retf 0_2_004032B7
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031371A0 StartServiceCtrlDispatcherW,0_2_031371A0

            Hooking and other Techniques for Hiding and Protection

            barindex
            May use the Tor software to hide its network traffic
            Source: EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000003.1654387427.00007FF4FC980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\Desktop\EEghgCvQUy.exe TID: 7556Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exe TID: 7560Thread sleep time: -52000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exe TID: 7564Thread sleep time: -75075s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_00413990 FindFirstFileW,FindClose,0_2_00413990
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02B95C90 FindFirstFileW,FindClose,0_2_02B95C90
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_63086040 _errno,_errno,FindNextFileW,WideCharToMultiByte,calloc,calloc,MultiByteToWideChar,FindFirstFileW,free,free,free,_errno,malloc,strcpy,strlen,_errno,strcpy,strlen,free,free,_errno,_errno,WideCharToMultiByte,0_2_63086040
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_004163D0 GetSystemInfo,0_2_004163D0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeThread delayed: delay time: 75075Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: EEghgCvQUy.exe, 00000000.00000002.3517531700.0000000000ACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031E3CA0 VirtualAlloc,VirtualAlloc,GetProcessHeap,VirtualFree,GetNativeSystemInfo,VirtualAlloc,0_2_031E3CA0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031E48B0 GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_031E48B0
            Source: EEghgCvQUy.exe, 00000000.00000003.1654188859.00007FF4FC890000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32
            Source: EEghgCvQUy.exeBinary or memory string: Shell_TrayWnd
            Source: EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000003.1654659679.00007FF4FCAB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02E024F0 cpuid 0_2_02E024F0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_00413B40
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00412BF0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_02B94EF0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_02B95E40
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_02BB8CF0 GetLocalTime,0_2_02BB8CF0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_031E4AB0 GetTimeZoneInformation,0_2_031E4AB0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeCode function: 0_2_004128B0 RtlInitializeCriticalSection,GetVersion,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,0_2_004128B0
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.1654659679.00007FF4FCAB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EEghgCvQUy.exe PID: 7436, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Users\user\Desktop\EEghgCvQUy.exeFile opened: C:\Users\user\AppData\Roaming\Miranda\Jump to behavior
            Source: Yara matchFile source: 00000000.00000003.1654188859.00007FF4FC890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EEghgCvQUy.exe PID: 7436, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.1654659679.00007FF4FCAB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EEghgCvQUy.exe PID: 7436, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		22
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            Data Encrypted for Impact
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		3
            Windows Service            		3
            Windows Service            		21
            Obfuscated Files or Information            		1
            Credentials in Registry            		3
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Multi-hop Proxy            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Service Execution            		Logon Script (Windows)1
            Process Injection            		1
            Software Packing            		1
            Credentials In Files            		76
            System Information Discovery            		SMB/Windows Admin Shares1
            Screen Capture            		1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS121
            Security Software Discovery            		Distributed Component Object ModelInput Capture1
            Proxy            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script121
            Virtualization/Sandbox Evasion            		LSA Secrets2
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Process Injection            		Cached Domain Credentials121
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
            System Owner/User Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            EEghgCvQUy.exe45%ReversingLabsWin64.Trojan.SpywareX
            EEghgCvQUy.exe100%AviraTR/AVI.Agent.ozton

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ac.ecosia.org/autocomplete?q=EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://html4/loose.dtdEEghgCvQUy.exe, EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpfalse
                		high
                https://duckduckgo.com/chrome_newtabEEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.openssl.org/support/faq.htmlRANDEEghgCvQUy.exe, 00000000.00000003.1659479540.00007FF4FCC38000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/ac/?q=EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoEEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.openssl.org/VEEghgCvQUy.exe, 00000000.00000002.3539806536.000000006E46B000.00000040.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000003.1662154280.00007FF4FCB1B000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000003.1659479540.00007FF4FCC5F000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchEEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.openssl.org/EEghgCvQUy.exefalse
                              		high
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://.cssEEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.ecosia.org/newtab/EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://.jpgEEghgCvQUy.exe, EEghgCvQUy.exe, 00000000.00000003.1656064470.00007FF4FC31D000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=EEghgCvQUy.exe, 00000000.00000003.1733668096.0000000000B7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.openssl.org/support/faq.htmlEEghgCvQUy.exe, 00000000.00000003.1659479540.00007FF4FCC38000.00000004.00001000.00020000.00000000.sdmp, EEghgCvQUy.exe, 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            172.86.76.246
                                            		unknownUnited States
                                            		9009M247GBtrue
                                            104.194.148.11
                                            		unknownUnited States
                                            		53667PONYNETUStrue
                                            104.194.143.5
                                            		unknownUnited States
                                            		53667PONYNETUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1565800
                                            Start date and time:2024-11-30 20:59:56 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 51s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Run name:Run with higher sleep bypass
                                            Number of analysed new started processes analysed:5
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:EEghgCvQUy.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:e3ef14a268039e14d8e20d2cddf143fb437dd4ac2caa450d179d6903fe513eac.exe
                                            Detection:MAL
                                            Classification:mal92.phis.troj.spyw.evad.winEXE@1/8@0/3
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:Failed
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                            • Report size getting too big, too many NtEnumerateValueKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: EEghgCvQUy.exe

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            172.86.76.2463yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                              danabot.exeGet hashmaliciousDanaBotBrowse
                                                danabot.exeGet hashmaliciousDanaBotBrowse
                                                  u26bBpzXS5.exeGet hashmaliciousDanaBotBrowse
                                                    u26bBpzXS5.exeGet hashmaliciousDanaBotBrowse
                                                      1.exeGet hashmaliciousUnknownBrowse
                                                        1.exeGet hashmaliciousUnknownBrowse
                                                          1.exeGet hashmaliciousUnknownBrowse
                                                            1.exeGet hashmaliciousUnknownBrowse
                                                              104.194.148.113yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                                                danabot.exeGet hashmaliciousDanaBotBrowse
                                                                  danabot.exeGet hashmaliciousDanaBotBrowse
                                                                    u26bBpzXS5.exeGet hashmaliciousDanaBotBrowse
                                                                      u26bBpzXS5.exeGet hashmaliciousDanaBotBrowse
                                                                        F24_023.pdf.jsGet hashmaliciousUnknownBrowse
                                                                          F24_023.pdf.jsGet hashmaliciousUnknownBrowse
                                                                            1.exeGet hashmaliciousUnknownBrowse
                                                                              1.exeGet hashmaliciousUnknownBrowse
                                                                                104.194.143.53yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                                                                  danabot.exeGet hashmaliciousDanaBotBrowse
                                                                                    danabot.exeGet hashmaliciousDanaBotBrowse
                                                                                      u26bBpzXS5.exeGet hashmaliciousDanaBotBrowse
                                                                                        u26bBpzXS5.exeGet hashmaliciousDanaBotBrowse
                                                                                          1.exeGet hashmaliciousUnknownBrowse
                                                                                            1.exeGet hashmaliciousUnknownBrowse
                                                                                              1.exeGet hashmaliciousUnknownBrowse
                                                                                                1.exeGet hashmaliciousUnknownBrowse

                                                                                                  Domains

                                                                                                  No context

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  PONYNETUS3yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                                                                                  • 104.194.143.5
                                                                                                  hmips.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.49.186
                                                                                                  ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 205.185.114.79
                                                                                                  mips.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.44.226
                                                                                                  arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.44.226
                                                                                                  x86.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.49.186
                                                                                                  AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 107.189.5.7
                                                                                                  NfFibKKmiz.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 107.189.8.65
                                                                                                  harm5.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 205.185.114.79
                                                                                                  PONYNETUS3yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                                                                                  • 104.194.143.5
                                                                                                  hmips.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.49.186
                                                                                                  ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 205.185.114.79
                                                                                                  mips.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.44.226
                                                                                                  arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.44.226
                                                                                                  x86.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 209.141.49.186
                                                                                                  AD6dpKQm7n.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 107.189.5.7
                                                                                                  NfFibKKmiz.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 107.189.8.65
                                                                                                  harm5.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 205.185.114.79
                                                                                                  M247GB3yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                                                                                  • 172.86.76.246
                                                                                                  sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 38.206.46.20
                                                                                                  sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 46.102.180.201
                                                                                                  sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                  • 38.202.83.248
                                                                                                  loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 192.230.38.195
                                                                                                  newtpp.exeGet hashmaliciousXmrigBrowse
                                                                                                  • 91.202.233.141
                                                                                                  SKM_BH450i2411261138090453854974574748668683985857435.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                                  • 104.250.180.178
                                                                                                  #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                  • 104.250.180.178
                                                                                                  LM94OE0VNK.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 91.202.233.141

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Temp\Aawrtreroswwe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):106496
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                                                  SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                                                  SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                                                  SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Ehaurtdq

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):106496
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                                                                                  SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                                                                                  SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                                                                                  SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Eqsepootsafhfsy

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):28672
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:CF845A781C107EC1346E849C9DD1B7E8
                                                                                                  SHA1:B44CCC7F7D519352422E59EE8B0BDBAC881768A7
                                                                                                  SHA-256:18619B678A5C207A971A0AA931604F48162E307C57ECDEC450D5F095FE9F32C7
                                                                                                  SHA-512:4802861EA06DC7FB85229A3C8F04E707A084F1BA516510C6F269821B33C8EE4EBF495258FE5BEE4850668A5AAC1A45F0EDF51580DA13B7EE160A29D067C67612
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Ofeeyayqrtuo

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):98304
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:0A9156C4E3C48EF827980639C4D1E263
                                                                                                  SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                                                                                  SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                                                                                  SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Ofeeyayqrtuo-shm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.017262956703125623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                  Malicious:false
                                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Qtapqhetueryfe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:F4F35D60B3CC18AAA6D8D92F0CD3708A
                                                                                                  SHA1:6FECD5769C727E137B7580AE3B1823B06EE6F9D9
                                                                                                  SHA-256:2AAE7DC846AAF25F1CADF55F1666862046C6DB9D65D84BDC07FA039DAC405606
                                                                                                  SHA-512:A69E2DCE2F75771C63ACDA51E4AEECC95B00F65377E3026BAF93A6CFB936BF6F10CB320CC09B0E43EB7833D062B24EFC5932569A1826E55DBB736CCDA0BEB413
                                                                                                  Malicious:false
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Srheqie

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):114688
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:76B973F7B910A22256212C63ADB7A103
                                                                                                  SHA1:2EAB7B3CF42E12BA5F1FF6AB512E4A105740F631
                                                                                                  SHA-256:96C94D0826105FE47C587FD79E8869CE5EDBFBACDDDAB9F4F30C5FECBA2CA6A3
                                                                                                  SHA-512:4C11351FE96BA26070E1B22230AA940BAFD2AA646960ED7A512F7398DAFE6FA2C029FE941F7EBF2C27C9D64957DC05DF66F5DB4365A9A8C6556216314FC12E95
                                                                                                  Malicious:false
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Yuftsyida

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40960
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:AB893875D697A3145AF5EED5309BEE26
                                                                                                  SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                                                                                  SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                                                                                  SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                                                                                  Malicious:false
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Entropy (8bit):7.9998412555247205
                                                                                                  TrID:
                                                                                                  • Win64 Executable GUI (202006/5) 81.25%
                                                                                                  • UPX compressed Win32 Executable (30571/9) 12.30%
                                                                                                  • Win64 Executable (generic) (12005/4) 4.83%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.81%
                                                                                                  • DOS Executable Generic (2002/1) 0.81%
                                                                                                  File name:EEghgCvQUy.exe
                                                                                                  File size:3'536'896 bytes
                                                                                                  MD5:77907d53bc3d8c4abf7d4596972842b0
                                                                                                  SHA1:1e6ccbbb242c3119a5861a9e745660080fb0f78e
                                                                                                  SHA256:e3ef14a268039e14d8e20d2cddf143fb437dd4ac2caa450d179d6903fe513eac
                                                                                                  SHA512:def0d3466d63dfb2d47d7ed6df7cee988ac775019b0688fc907e1483286c6c0a5ed575b2aaf7fbd941eb2af1284c3449a3c5c997a9c502d90b2e0a000feb192b
                                                                                                  SSDEEP:98304:F9HVsDziILdkWRN5mP7SkaUP303ajQL0OKAZI:F9HcziahmP7bPk3aU7Z
                                                                                                  TLSH:DDF533A0D056F85DF2644AB981BAFCEE16AF4A3093537F2574A07D31BE1770A2D3A10D
                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

                                                                                                  File Icon

                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x900fb0
                                                                                                  Entrypoint Section:UPX1
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                  DLL Characteristics:
                                                                                                  Time Stamp:0x66729964 [Wed Jun 19 08:40:04 2024 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:5
                                                                                                  OS Version Minor:2
                                                                                                  File Version Major:5
                                                                                                  File Version Minor:2
                                                                                                  Subsystem Version Major:5
                                                                                                  Subsystem Version Minor:2
                                                                                                  Import Hash:ad8a6bdba83b149dbc6bdfa0db06a72b

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  push ebx
                                                                                                  push esi
                                                                                                  push edi
                                                                                                  push ebp
                                                                                                  dec eax
                                                                                                  lea esi, dword ptr [FFCA2045h]
                                                                                                  dec eax
                                                                                                  lea edi, dword ptr [esi-001A2000h]
                                                                                                  dec eax
                                                                                                  lea eax, dword ptr [edi+00487158h]
                                                                                                  push dword ptr [eax]
                                                                                                  mov dword ptr [eax], D8E37165h
                                                                                                  push eax
                                                                                                  push edi
                                                                                                  mov eax, 004FEC8Bh
                                                                                                  push eax
                                                                                                  dec eax
                                                                                                  mov ecx, esp
                                                                                                  dec eax
                                                                                                  mov edx, edi
                                                                                                  dec eax
                                                                                                  mov edi, esi
                                                                                                  mov esi, 0035DFA7h
                                                                                                  push ebp
                                                                                                  dec eax
                                                                                                  mov ebp, esp
                                                                                                  inc esp
                                                                                                  mov ecx, dword ptr [ecx]
                                                                                                  dec ecx
                                                                                                  mov eax, edx
                                                                                                  dec eax
                                                                                                  mov edx, esi
                                                                                                  dec eax
                                                                                                  lea esi, dword ptr [edi+02h]
                                                                                                  push esi
                                                                                                  mov al, byte ptr [edi]
                                                                                                  dec edx
                                                                                                  mov cl, al
                                                                                                  and al, 07h
                                                                                                  shr cl, 00000003h
                                                                                                  dec eax
                                                                                                  mov ebx, FFFFFD00h
                                                                                                  dec eax
                                                                                                  shl ebx, cl
                                                                                                  mov cl, al
                                                                                                  dec eax
                                                                                                  lea ebx, dword ptr [esp+ebx*2-00000E78h]
                                                                                                  dec eax
                                                                                                  and ebx, FFFFFFC0h
                                                                                                  push 00000000h
                                                                                                  dec eax
                                                                                                  cmp esp, ebx
                                                                                                  jne 00007FC7107E6D0Bh
                                                                                                  push ebx
                                                                                                  dec eax
                                                                                                  lea edi, dword ptr [ebx+08h]
                                                                                                  mov cl, byte ptr [esi-01h]
                                                                                                  dec edx
                                                                                                  mov byte ptr [edi+02h], al
                                                                                                  mov al, cl
                                                                                                  shr cl, 00000004h
                                                                                                  mov byte ptr [edi+01h], cl
                                                                                                  and al, 0Fh
                                                                                                  mov byte ptr [edi], al
                                                                                                  dec eax
                                                                                                  lea ecx, dword ptr [edi-04h]
                                                                                                  push eax
                                                                                                  inc ecx
                                                                                                  push edi
                                                                                                  dec eax
                                                                                                  lea eax, dword ptr [edi+04h]
                                                                                                  inc ebp
                                                                                                  xor edi, edi
                                                                                                  inc ecx
                                                                                                  push esi
                                                                                                  inc ecx
                                                                                                  mov esi, 00000001h
                                                                                                  inc ecx
                                                                                                  push ebp
                                                                                                  inc ebp
                                                                                                  xor ebp, ebp
                                                                                                  inc ecx
                                                                                                  push esp
                                                                                                  push ebp
                                                                                                  push ebx
                                                                                                  dec eax
                                                                                                  sub esp, 48h
                                                                                                  dec eax
                                                                                                  mov dword ptr [esp+38h], ecx
                                                                                                  dec eax
                                                                                                  mov dword ptr [esp+20h], eax
                                                                                                  mov eax, 00000001h
                                                                                                  dec eax
                                                                                                  mov dword ptr [esp+40h], esi
                                                                                                  dec esp
                                                                                                  mov dword ptr [esp+30h], eax

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x4c00000x98UPX1
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5023680x210.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5020000x368.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4d80000x18954UPX1
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5025780x10.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x501b500x28UPX1
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4bf0000x30eUPX1
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  UPX00x10000x1a20000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  UPX10x1a30000x35f0000x35ee0077c8a858177ab37750951b99f8b5bd0funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rsrc0x5020000x10000x600781d19bf54bdf98cf636d5ed06c9d066False0.3776041666666667data3.2303719074386645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_STRING0x4f13680x29cdata1.0164670658682635
                                                                                                  RT_STRING0x4f16040x3bcdata1.0115062761506277
                                                                                                  RT_STRING0x4f19c00x2dcdata1.0150273224043715
                                                                                                  RT_STRING0x4f1c9c0x44cdata1.01
                                                                                                  RT_STRING0x4f20e80x544data1.008160237388724
                                                                                                  RT_STRING0x4f262c0x37cdata1.0123318385650224
                                                                                                  RT_STRING0x4f29a80x440data1.010110294117647
                                                                                                  RT_STRING0x4f2de80x21cOpenPGP Public Key1.0203703703703704
                                                                                                  RT_STRING0x4f30040xbcdata1.0585106382978724
                                                                                                  RT_STRING0x4f30c00x100data1.04296875
                                                                                                  RT_STRING0x4f31c00x338data1.0133495145631068
                                                                                                  RT_STRING0x4f34f80x478data1.0096153846153846
                                                                                                  RT_STRING0x4f39700x354OpenPGP Public Key1.0129107981220657
                                                                                                  RT_STRING0x4f3cc40x2b8data1.0158045977011494
                                                                                                  RT_RCDATA0x4f3f7c0x10data1.5625
                                                                                                  RT_RCDATA0x4f3f8c0x324data1.013681592039801

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  advapi32.dllRegCloseKey
                                                                                                  KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                                                                  msvcrt.dllmemset
                                                                                                  netapi32.dllNetWkstaGetInfo
                                                                                                  oleaut32.dllVariantCopy
                                                                                                  user32.dllCharNextW
                                                                                                  version.dllVerQueryValueW

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-11-30T21:03:07.734492+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.449915172.86.76.246443TCP
                                                                                                  2024-11-30T21:03:07.762236+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.449916104.194.143.5443TCP
                                                                                                  2024-11-30T21:03:07.799893+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.449917104.194.148.11443TCP
                                                                                                  2024-11-30T21:03:07.824539+01002034465ET MALWARE Danabot Key Exchange Request1192.168.2.449918172.86.76.246443TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 30, 2024 21:02:05.599241018 CET49781443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.599277020 CET44349781172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.599358082 CET49781443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.619040966 CET49781443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.619056940 CET44349781172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.619102001 CET49781443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.619103909 CET44349781172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.619108915 CET44349781172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.625686884 CET49783443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:02:05.625694990 CET44349783104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.625756979 CET49783443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:02:05.638875008 CET49783443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:02:05.638885021 CET44349783104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.638904095 CET44349783104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.638935089 CET49783443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:02:05.638941050 CET44349783104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.645498037 CET49785443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:02:05.645513058 CET44349785104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.645580053 CET49785443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:02:05.662575006 CET49785443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:02:05.662590027 CET44349785104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.662607908 CET49785443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:02:05.662616014 CET44349785104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.662626982 CET44349785104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.669977903 CET49786443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.669986963 CET44349786172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.670057058 CET49786443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.686577082 CET49786443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.686585903 CET44349786172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.686603069 CET44349786172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:02:05.686639071 CET49786443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:02:05.686645985 CET44349786172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.709119081 CET49915443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.709157944 CET44349915172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.709279060 CET49915443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.734492064 CET49915443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.734507084 CET44349915172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.734536886 CET44349915172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.734570980 CET49915443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.734579086 CET44349915172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.744247913 CET49916443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.744297981 CET44349916104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.744369984 CET49916443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.762236118 CET49916443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.762253046 CET44349916104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.762284994 CET44349916104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.762300968 CET49916443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.762310028 CET44349916104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.769815922 CET49917443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.769826889 CET44349917104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.769900084 CET49917443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.799892902 CET49917443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.799905062 CET44349917104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.799935102 CET44349917104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.799949884 CET49917443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.799957037 CET44349917104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.809544086 CET49918443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.809554100 CET44349918172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.809618950 CET49918443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.824538946 CET49918443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.824552059 CET44349918172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.824573994 CET44349918172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.824594975 CET49918443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.824600935 CET44349918172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.832036018 CET49919443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.832130909 CET44349919172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.832201004 CET49919443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.852875948 CET49919443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.852916956 CET44349919172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.852945089 CET44349919172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.861972094 CET49920443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.862006903 CET44349920104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.862067938 CET49920443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.878021955 CET49920443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.878036976 CET44349920104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.878052950 CET49920443192.168.2.4104.194.143.5
                                                                                                  Nov 30, 2024 21:03:07.878057957 CET44349920104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.878072977 CET44349920104.194.143.5192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.885212898 CET49921443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.885221004 CET44349921104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.885291100 CET49921443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.909373045 CET49921443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.909389973 CET44349921104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.909410000 CET44349921104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.909434080 CET49921443192.168.2.4104.194.148.11
                                                                                                  Nov 30, 2024 21:03:07.909446001 CET44349921104.194.148.11192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.918504953 CET49922443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.918513060 CET44349922172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.918570995 CET49922443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.932585001 CET49922443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.932595968 CET44349922172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.932617903 CET44349922172.86.76.246192.168.2.4
                                                                                                  Nov 30, 2024 21:03:07.932648897 CET49922443192.168.2.4172.86.76.246
                                                                                                  Nov 30, 2024 21:03:07.932655096 CET44349922172.86.76.246192.168.2.4

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:15:00:43
                                                                                                  Start date:30/11/2024
                                                                                                  Path:C:\Users\user\Desktop\EEghgCvQUy.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\Desktop\EEghgCvQUy.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:3'536'896 bytes
                                                                                                  MD5 hash:77907D53BC3D8C4ABF7D4596972842B0
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1654188859.00007FF4FC890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000003.1654659679.00007FF4FCAB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low
                                                                                                  Has exited:false

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:7.8%
                                                                                                    Dynamic/Decrypted Code Coverage:70.9%
                                                                                                    Signature Coverage:23.3%
                                                                                                    Total number of Nodes:1148
                                                                                                    Total number of Limit Nodes:63
                                                                                                    execution_graph 41894 409000 41895 40900a 41894->41895 41896 40901f 41894->41896 41895->41896 41898 409330 8 API calls 41895->41898 41898->41896 41899 40dd80 41900 40de6d 41899->41900 41912 40ddbe 41899->41912 41927 40e6c0 41900->41927 41905 40de81 41932 40e710 8 API calls 41905->41932 41909 40de8a 41912->41900 41914 40dd60 41912->41914 41917 40dc70 39 API calls 41912->41917 41918 40ee00 8 API calls 41912->41918 41919 40dcf0 41 API calls 41912->41919 41920 40edb0 9 API calls 41912->41920 41921 40ecf0 41912->41921 41933 4162e0 41914->41933 41917->41912 41918->41912 41919->41912 41920->41912 41922 40ed0b 41921->41922 41926 40ed1d 41921->41926 41924 40e590 8 API calls 41922->41924 41922->41926 41923 40e6c0 8 API calls 41925 40ed58 41923->41925 41924->41926 41925->41912 41926->41923 41928 40e6d0 41927->41928 41929 40de78 41927->41929 41928->41929 41930 409060 8 API calls 41928->41930 41931 40e760 SysFreeString 41929->41931 41930->41929 41931->41905 41932->41909 41934 41630d 41933->41934 41941 40dd70 41933->41941 41935 416317 41934->41935 41936 416349 41934->41936 41942 412680 41935->41942 41952 40ff30 41936->41952 41939 416322 41946 40e980 41939->41946 41941->41912 41943 412690 41942->41943 41944 4126aa 41942->41944 41943->41944 41956 412620 41943->41956 41944->41939 41947 40e9a6 41946->41947 41948 40e99f 41946->41948 41950 40e6c0 8 API calls 41947->41950 41949 40e590 8 API calls 41948->41949 41949->41947 41951 40e9d4 41950->41951 41951->41941 41953 40ff44 41952->41953 41954 40e980 8 API calls 41953->41954 41955 40ff52 41954->41955 41955->41941 41957 412636 41956->41957 41959 412655 41956->41959 41960 413e90 41957->41960 41959->41944 41961 413ed0 41960->41961 41972 40ff60 41961->41972 41964 40ff30 8 API calls 41965 413ef1 41964->41965 41976 413c60 41965->41976 41968 413f02 42012 40e7a0 41968->42012 41970 40e6c0 8 API calls 41971 413f40 41970->41971 41971->41959 41973 40ff6f 41972->41973 41974 40e980 8 API calls 41973->41974 41975 40ffa1 41974->41975 41975->41964 41977 413cc6 41976->41977 41978 40e6c0 8 API calls 41977->41978 41979 413cdc 41978->41979 41996 413d7e 41979->41996 42016 40ed70 41979->42016 41981 40e7a0 8 API calls 41982 413e2f 41981->41982 41983 40e7a0 8 API calls 41982->41983 41984 413e41 41983->41984 41984->41968 41989 413d83 42044 413020 41989->42044 41990 413d5d 42030 413a20 41990->42030 41991 413d3c 42020 413890 41991->42020 41994 40ecf0 8 API calls 41994->41996 41996->41981 41998 413a20 10 API calls 41999 413da7 41998->41999 42000 40ecf0 8 API calls 41999->42000 42001 413db4 42000->42001 42002 413df8 42001->42002 42003 413dc7 GetSystemDefaultUILanguage 42001->42003 42002->41996 42073 413b40 42002->42073 42004 413020 21 API calls 42003->42004 42006 413dd7 42004->42006 42008 413a20 10 API calls 42006->42008 42010 413deb 42008->42010 42009 40ecf0 8 API calls 42009->41996 42011 40ecf0 8 API calls 42010->42011 42011->42002 42013 40e7c2 42012->42013 42014 40e7af 42012->42014 42013->41970 42014->42013 42015 40e6c0 8 API calls 42014->42015 42015->42014 42017 40ed85 42016->42017 42018 40e6c0 8 API calls 42017->42018 42019 40eda0 42018->42019 42019->41991 42094 4104c0 42019->42094 42021 4138b3 42020->42021 42022 4138c9 42020->42022 42098 413460 42021->42098 42024 40ff30 8 API calls 42022->42024 42026 4138d9 42024->42026 42028 40e6c0 8 API calls 42026->42028 42029 4138e3 42028->42029 42029->41989 42029->41990 42031 413a4b 42030->42031 42032 40e6c0 8 API calls 42031->42032 42040 413a5e 42032->42040 42033 413ad8 42034 40e6c0 8 API calls 42033->42034 42035 413ae1 42034->42035 42036 40e6c0 8 API calls 42035->42036 42037 413aeb 42036->42037 42039 40e7a0 8 API calls 42037->42039 42038 4104c0 8 API calls 42038->42040 42041 413afa 42039->42041 42040->42033 42040->42035 42040->42038 42138 4102a0 42040->42138 42159 413990 42040->42159 42041->41994 42045 413055 42044->42045 42046 413063 42045->42046 42047 41308b 42045->42047 42048 40ff60 8 API calls 42046->42048 42051 40e6c0 8 API calls 42047->42051 42049 41307a RtlLeaveCriticalSection 42048->42049 42050 413196 42049->42050 42052 40e7a0 8 API calls 42050->42052 42055 4130a0 42051->42055 42053 4131a5 42052->42053 42053->41998 42054 413150 RtlEnterCriticalSection 42058 413174 42054->42058 42055->42054 42056 4130e4 42055->42056 42057 4130c4 42055->42057 42177 412bf0 11 API calls 42056->42177 42176 412eb0 14 API calls 42057->42176 42063 413189 RtlLeaveCriticalSection 42058->42063 42061 4130f5 42064 40ecf0 8 API calls 42061->42064 42062 4130d5 42065 40ecf0 8 API calls 42062->42065 42063->42050 42067 413102 42064->42067 42066 4130e2 42065->42066 42066->42054 42067->42054 42068 41312f GetSystemDefaultUILanguage 42067->42068 42178 4101d0 8 API calls 42067->42178 42179 412bf0 11 API calls 42068->42179 42071 413143 42180 4101d0 8 API calls 42071->42180 42181 40e850 42073->42181 42076 40ff60 8 API calls 42077 413ba0 42076->42077 42078 4102a0 8 API calls 42077->42078 42079 413bb1 42078->42079 42080 413990 10 API calls 42079->42080 42081 413bc1 42080->42081 42083 40ff60 8 API calls 42081->42083 42093 413c0d 42081->42093 42082 40e7a0 8 API calls 42084 413c1d 42082->42084 42085 413bdf 42083->42085 42086 40e6c0 8 API calls 42084->42086 42087 4102a0 8 API calls 42085->42087 42088 413c26 42086->42088 42089 413bf0 42087->42089 42088->42009 42090 413990 10 API calls 42089->42090 42091 413c00 42090->42091 42092 40e6c0 8 API calls 42091->42092 42091->42093 42092->42093 42093->42082 42095 4104d2 42094->42095 42096 40e980 8 API calls 42095->42096 42097 410511 42096->42097 42097->41991 42099 413489 42098->42099 42100 413494 GetModuleFileNameW 42099->42100 42101 4134a8 42099->42101 42100->42101 42102 4134d1 RegOpenKeyExW 42101->42102 42119 41372a 42101->42119 42103 4135f4 42102->42103 42104 41350c RegOpenKeyExW 42102->42104 42127 413210 lstrlenW 42103->42127 42104->42103 42106 41353c RegOpenKeyExW 42104->42106 42105 40e6c0 8 API calls 42108 413737 42105->42108 42106->42103 42109 41356c RegOpenKeyExW 42106->42109 42126 413910 8 API calls 42108->42126 42109->42103 42111 413598 RegOpenKeyExW 42109->42111 42110 413608 RegQueryValueExW 42112 413634 42110->42112 42113 413687 RegQueryValueExW 42110->42113 42111->42103 42115 4135c4 RegOpenKeyExW 42111->42115 42128 409030 42112->42128 42114 4136b6 42113->42114 42124 413682 42113->42124 42117 409030 8 API calls 42114->42117 42115->42103 42115->42119 42121 4136bf RegQueryValueExW 42117->42121 42118 41371e RegCloseKey 42118->42119 42119->42105 42125 40ff30 8 API calls 42121->42125 42123 40ff30 8 API calls 42123->42124 42124->42118 42132 409060 42124->42132 42125->42124 42126->42022 42127->42110 42129 40903a RegQueryValueExW 42128->42129 42130 40903e 42128->42130 42129->42123 42130->42129 42136 409330 8 API calls 42130->42136 42133 40906a 42132->42133 42134 40906e 42132->42134 42133->42118 42134->42133 42137 409330 8 API calls 42134->42137 42136->42129 42137->42133 42139 4102d0 42138->42139 42140 4102be 42138->42140 42142 4102d8 42139->42142 42143 4102ea 42139->42143 42141 40ecf0 8 API calls 42140->42141 42144 4102cb 42141->42144 42145 40ecf0 8 API calls 42142->42145 42146 4102f7 42143->42146 42147 410309 42143->42147 42144->42040 42145->42144 42166 4101d0 8 API calls 42146->42166 42149 410312 42147->42149 42150 41039e 42147->42150 42151 410341 42149->42151 42167 40af00 8 API calls 42149->42167 42152 40ecf0 8 API calls 42150->42152 42168 40e590 42151->42168 42154 4103ab 42152->42154 42174 4101d0 8 API calls 42154->42174 42157 410348 42158 40e6c0 8 API calls 42157->42158 42158->42144 42160 4139ae 42159->42160 42161 4139bb FindFirstFileW 42160->42161 42162 4139e2 42161->42162 42163 4139da FindClose 42161->42163 42164 40e6c0 8 API calls 42162->42164 42163->42162 42165 4139ef 42164->42165 42165->42040 42166->42144 42167->42151 42169 40e5bc 42168->42169 42170 40e59d 42168->42170 42169->42157 42171 40e5aa 42170->42171 42175 40af00 8 API calls 42170->42175 42173 409030 8 API calls 42171->42173 42173->42169 42174->42144 42175->42171 42176->42062 42177->42061 42178->42068 42179->42071 42180->42054 42182 40e858 GetUserDefaultUILanguage GetLocaleInfoW 42181->42182 42182->42076 42183 418460 42184 418479 42183->42184 42187 40dc10 42184->42187 42190 40db70 42187->42190 42191 40dbe1 42190->42191 42192 40db88 42190->42192 42192->42191 42194 417a40 42192->42194 42195 417b1c 42194->42195 42196 417a5d 42194->42196 42195->42192 42197 417a72 SetThreadLocale 42196->42197 42203 4163d0 42197->42203 42199 417aa6 42200 417afb GetCurrentThreadId 42199->42200 42205 4163f0 GetVersion 42200->42205 42202 417b1b 42202->42195 42204 4163de 42203->42204 42204->42199 42205->42202 42206 2b87d30 42207 2b87dff 42206->42207 42208 2b87d4f 42206->42208 42211 2b87e08 42207->42211 42212 2b88084 42207->42212 42209 2b87d5e 42208->42209 42210 2b87da7 42208->42210 42233 2b87d6a 42209->42233 42253 2b87740 42209->42253 42215 2b87740 7 API calls 42210->42215 42213 2b87f30 42211->42213 42214 2b87e21 42211->42214 42212->42233 42238 2b875b0 42212->42238 42216 2b8802b 42213->42216 42221 2b87f5d 42213->42221 42213->42233 42220 2b87e46 42214->42220 42223 2b87efb 42214->42223 42214->42233 42228 2b87dc4 42215->42228 42219 2b87740 7 API calls 42216->42219 42222 2b88052 42219->42222 42224 2b87e74 42220->42224 42220->42233 42285 2b871c0 Sleep Sleep 42221->42285 42222->42233 42236 2b87b10 10 API calls 42222->42236 42226 2b87740 7 API calls 42223->42226 42284 2b871c0 Sleep Sleep 42224->42284 42235 2b87f06 42226->42235 42232 2b87b10 10 API calls 42228->42232 42228->42233 42229 2b87f68 42229->42216 42229->42233 42230 2b87d7d 42230->42233 42271 2b87b10 42230->42271 42231 2b87e7b 42231->42233 42232->42233 42235->42233 42237 2b87b10 10 API calls 42235->42237 42236->42233 42237->42233 42239 2b875e0 VirtualQuery 42238->42239 42240 2b876e2 42238->42240 42242 2b876a9 42239->42242 42243 2b8761c 42239->42243 42244 2b87740 7 API calls 42240->42244 42248 2b8768d 42240->42248 42245 2b87740 7 API calls 42242->42245 42243->42242 42246 2b87651 VirtualAlloc 42243->42246 42250 2b876fc 42244->42250 42249 2b876b1 42245->42249 42246->42242 42247 2b8766f VirtualAlloc 42246->42247 42247->42242 42247->42248 42248->42233 42249->42248 42252 2b87b10 10 API calls 42249->42252 42250->42248 42251 2b87b10 10 API calls 42250->42251 42251->42248 42252->42248 42254 2b879a9 42253->42254 42255 2b87774 42253->42255 42257 2b87aee 42254->42257 42258 2b879b6 42254->42258 42256 2b87783 42255->42256 42265 2b87837 Sleep 42255->42265 42262 2b87860 42256->42262 42263 2b87865 42256->42263 42269 2b8779a 42256->42269 42257->42269 42286 2b87460 42257->42286 42259 2b879ca 42258->42259 42264 2b879cf 42258->42264 42295 2b871c0 Sleep Sleep 42259->42295 42290 2b871c0 Sleep Sleep 42262->42290 42263->42269 42291 2b87370 42263->42291 42268 2b87370 VirtualAlloc 42264->42268 42264->42269 42265->42256 42267 2b87850 Sleep 42265->42267 42267->42255 42268->42269 42269->42230 42272 2b87bfb 42271->42272 42273 2b87b2d 42271->42273 42274 2b87d19 42272->42274 42275 2b87b34 42272->42275 42273->42275 42278 2b87bc2 Sleep 42273->42278 42283 2b87b3e 42274->42283 42303 2b874f0 42274->42303 42276 2b87c15 42275->42276 42281 2b87c1a 42275->42281 42275->42283 42310 2b871c0 Sleep Sleep 42276->42310 42278->42275 42280 2b87be5 Sleep 42278->42280 42280->42273 42282 2b87cb6 VirtualFree 42281->42282 42281->42283 42282->42283 42283->42233 42284->42231 42285->42229 42287 2b87492 42286->42287 42288 2b874ae 42287->42288 42296 2b87410 42287->42296 42288->42269 42290->42263 42301 2b872d0 42291->42301 42293 2b8737c VirtualAlloc 42294 2b8739f 42293->42294 42294->42269 42295->42264 42297 2b8745a 42296->42297 42298 2b8741d 42296->42298 42297->42288 42298->42297 42299 2b87428 Sleep 42298->42299 42299->42297 42300 2b8743f Sleep 42299->42300 42300->42298 42302 2b872e2 42301->42302 42302->42293 42304 2b87410 2 API calls 42303->42304 42305 2b8750b 42304->42305 42306 2b87525 VirtualFree 42305->42306 42309 2b87543 42305->42309 42308 2b8753a 42306->42308 42307 2b8754f VirtualQuery VirtualFree 42307->42308 42307->42309 42308->42283 42309->42307 42309->42308 42310->42281 42311 2b95c90 42312 2b95cae 42311->42312 42313 2b95cbb FindFirstFileW 42312->42313 42314 2b95cda FindClose 42313->42314 42315 2b95ce2 42313->42315 42314->42315 42318 2b8f8e0 42315->42318 42319 2b8f919 42318->42319 42320 2b8f8f0 42318->42320 42320->42319 42322 2b89180 42320->42322 42323 2b8918a 42322->42323 42324 2b8918e 42322->42324 42323->42319 42324->42323 42326 2b89450 8 API calls 42324->42326 42326->42323 42327 2bb2ff0 42328 2bb3009 42327->42328 42329 2bb309d GetLastError 42328->42329 42331 2bb301d 42328->42331 42330 2bb302c 42329->42330 42331->42330 42332 2bb3079 CloseHandle 42331->42332 42333 2bb3085 GetLastError 42331->42333 42332->42330 42333->42330 42334 2e0d6f0 42335 2e0d72a 42334->42335 42336 2e0d70d 42334->42336 42338 2e0d734 42335->42338 42390 2e0d6c0 40 API calls 42335->42390 42388 2bbd020 40 API calls 42336->42388 42348 2e0d3f0 42338->42348 42339 2e0d722 42389 2b8eb60 8 API calls 42339->42389 42343 2e0d790 42368 2e0d000 42343->42368 42344 2e0d783 42344->42343 42391 2d01220 61 API calls 42344->42391 42392 2b93fe0 42348->42392 42350 2e0d561 GetThreadLocale 42351 2e0d59d 42350->42351 42353 2e0d5e3 42351->42353 42354 2e0d5a9 42351->42354 42352 2b905b0 8 API calls 42367 2e0d468 42352->42367 42397 2e0c7a0 59 API calls 42353->42397 42395 2bbd1d0 57 API calls 42354->42395 42357 2e0d5e1 42398 2b8f9f0 42357->42398 42358 2b98630 10 API calls 42358->42367 42359 2e0d5d9 42396 2b8eb60 8 API calls 42359->42396 42362 2b8fff0 9 API calls 42362->42367 42365 2b8f980 SysFreeString 42365->42367 42366 2e0d60b 42366->42344 42367->42350 42367->42352 42367->42358 42367->42362 42367->42365 42475 2b923b0 42368->42475 42372 2e0d062 42489 2d014a0 42372->42489 42374 2e0d098 42375 2e0d25d 42374->42375 42498 2e0d7c0 59 API calls 42374->42498 42499 2d01aa0 61 API calls 42375->42499 42378 2e0d2d5 42505 2b92660 21 API calls 42378->42505 42380 2e0d2ee 42506 2b92560 42380->42506 42382 2e0d274 42382->42378 42500 2b90690 8 API calls 42382->42500 42501 2b91900 42382->42501 42386 2b941b0 21 API calls 42387 2e0d314 42386->42387 42388->42339 42389->42335 42390->42338 42391->42343 42408 2b93bb0 42392->42408 42395->42359 42396->42357 42397->42357 42399 2b8f9ff 42398->42399 42400 2b8fa12 42398->42400 42399->42400 42470 2b8f930 42399->42470 42402 2b941b0 42400->42402 42403 2b94222 42402->42403 42404 2b941c4 42402->42404 42403->42366 42404->42403 42405 2b94216 42404->42405 42474 2b92660 21 API calls 42404->42474 42406 2b89180 8 API calls 42405->42406 42406->42403 42409 2b93bff 42408->42409 42413 2b93c25 42408->42413 42410 2b93c0d 42409->42410 42445 2b89450 8 API calls 42409->42445 42412 2b941b0 21 API calls 42410->42412 42430 2b93c20 42412->42430 42414 2b93ca7 42413->42414 42446 2b89450 8 API calls 42413->42446 42416 2b93cba 42414->42416 42447 2b89450 8 API calls 42414->42447 42418 2b93ccf 42416->42418 42419 2b93df9 42416->42419 42420 2b93ddf 42418->42420 42421 2b93ce2 42418->42421 42423 2b89150 8 API calls 42419->42423 42422 2b891b0 8 API calls 42420->42422 42448 2b93b50 8 API calls 42421->42448 42434 2b93d9a 42422->42434 42431 2b93e02 42423->42431 42425 2b93ceb 42426 2b93d9c 42425->42426 42427 2b93cf3 42425->42427 42428 2b93dd0 42426->42428 42455 2b93320 21 API calls 42426->42455 42449 2b89150 42427->42449 42456 2b891b0 42428->42456 42430->42367 42438 2b93e5f 42431->42438 42465 2b92f90 25 API calls 42431->42465 42434->42430 42437 2b93bb0 25 API calls 42434->42437 42435 2b941b0 21 API calls 42435->42434 42437->42434 42438->42435 42439 2b93d18 42439->42434 42453 2b93160 25 API calls 42439->42453 42441 2b93d5d 42442 2b93d91 42441->42442 42454 2b93320 21 API calls 42441->42454 42444 2b89180 8 API calls 42442->42444 42444->42434 42445->42410 42446->42414 42447->42416 42448->42425 42450 2b8915a 42449->42450 42451 2b8915e 42449->42451 42450->42439 42451->42450 42466 2b89450 8 API calls 42451->42466 42453->42441 42454->42442 42455->42428 42457 2b891f9 42456->42457 42458 2b891bf 42456->42458 42461 2b891dc 42457->42461 42469 2b89450 8 API calls 42457->42469 42459 2b891de 42458->42459 42460 2b891c4 42458->42460 42459->42461 42468 2b89450 8 API calls 42459->42468 42460->42461 42467 2b89450 8 API calls 42460->42467 42461->42434 42465->42438 42466->42450 42467->42461 42468->42461 42469->42461 42471 2b8f969 42470->42471 42472 2b8f940 42470->42472 42471->42399 42472->42471 42473 2b89180 8 API calls 42472->42473 42473->42471 42474->42405 42476 2b92410 42475->42476 42477 2b923ca 42475->42477 42479 2b92420 42476->42479 42477->42476 42478 2b92420 8 API calls 42477->42478 42478->42477 42480 2b9243b 42479->42480 42486 2b9248b 42479->42486 42481 2b92474 42480->42481 42482 2b924fc 42480->42482 42483 2b92452 42480->42483 42481->42486 42512 2b89450 8 API calls 42481->42512 42485 2b923b0 8 API calls 42482->42485 42482->42486 42483->42481 42483->42486 42487 2b92472 42483->42487 42485->42482 42486->42372 42486->42486 42487->42486 42488 2b92420 8 API calls 42487->42488 42488->42487 42490 2b93fe0 25 API calls 42489->42490 42494 2d014df 42490->42494 42491 2d01a8c 42491->42374 42492 2d01420 11 API calls 42492->42494 42494->42491 42494->42492 42497 2d01450 10 API calls 42494->42497 42513 2d027a0 102 API calls 42494->42513 42514 2d01ef0 68 API calls 42494->42514 42515 2d00f80 40 API calls 42494->42515 42497->42494 42498->42375 42499->42382 42500->42382 42502 2b9190e 42501->42502 42516 2b8fba0 42502->42516 42505->42380 42507 2b9261f 42506->42507 42508 2b92582 42506->42508 42507->42386 42508->42507 42523 2b92660 21 API calls 42508->42523 42524 2b97fc0 21 API calls 42508->42524 42525 2b89450 8 API calls 42508->42525 42512->42486 42513->42494 42514->42494 42515->42494 42517 2b8fbbf 42516->42517 42521 2b8fbc6 42516->42521 42522 2b8f7b0 8 API calls 42517->42522 42519 2b8f8e0 8 API calls 42520 2b8fbf4 42519->42520 42520->42382 42521->42519 42522->42521 42523->42508 42524->42508 42525->42508 42526 407c10 42527 407cdf 42526->42527 42528 407c2f 42526->42528 42531 407f64 42527->42531 42532 407ce8 42527->42532 42529 407c87 42528->42529 42530 407c3e 42528->42530 42533 407620 4 API calls 42529->42533 42538 407620 4 API calls 42530->42538 42553 407c4a 42530->42553 42531->42553 42572 407490 42531->42572 42534 407e10 42532->42534 42535 407d01 42532->42535 42550 407ca4 42533->42550 42537 407f0b 42534->42537 42543 407e3d 42534->42543 42534->42553 42540 407d26 42535->42540 42541 407ddb 42535->42541 42535->42553 42558 407620 42537->42558 42552 407c5d 42538->42552 42542 407d54 42540->42542 42540->42553 42547 407620 4 API calls 42541->42547 42600 4070a0 Sleep 42542->42600 42601 4070a0 Sleep 42543->42601 42544 407f32 42544->42553 42556 4079f0 5 API calls 42544->42556 42548 407de6 42547->42548 42548->42553 42557 4079f0 5 API calls 42548->42557 42549 407d5b 42549->42553 42550->42553 42554 4079f0 5 API calls 42550->42554 42551 407e48 42551->42537 42551->42553 42552->42553 42587 4079f0 42552->42587 42554->42553 42556->42553 42557->42553 42559 407889 42558->42559 42567 407654 42558->42567 42561 407896 42559->42561 42562 4079ce 42559->42562 42560 407663 42563 40767a 42560->42563 42568 407740 42560->42568 42561->42563 42564 4078aa 42561->42564 42562->42563 42602 407340 VirtualAlloc 42562->42602 42563->42544 42605 4070a0 Sleep 42564->42605 42567->42560 42569 407717 Sleep 42567->42569 42604 4070a0 Sleep 42568->42604 42569->42560 42571 407730 Sleep 42569->42571 42571->42567 42573 4074c0 VirtualQuery 42572->42573 42574 4075c2 42572->42574 42577 407589 42573->42577 42578 4074fc 42573->42578 42576 407620 4 API calls 42574->42576 42582 40756d 42574->42582 42583 4075dc 42576->42583 42579 407620 4 API calls 42577->42579 42578->42577 42580 407531 VirtualAlloc 42578->42580 42584 407591 42579->42584 42580->42577 42581 40754f VirtualAlloc 42580->42581 42581->42577 42581->42582 42582->42553 42583->42582 42585 4079f0 5 API calls 42583->42585 42584->42582 42586 4079f0 5 API calls 42584->42586 42585->42582 42586->42582 42588 407adb 42587->42588 42590 407a0d 42587->42590 42589 407a14 42588->42589 42592 407bf9 42588->42592 42591 407af5 42589->42591 42597 407afa 42589->42597 42599 407a1e 42589->42599 42590->42589 42593 407aa2 Sleep 42590->42593 42610 4070a0 Sleep 42591->42610 42592->42599 42606 4073d0 42592->42606 42593->42589 42596 407ac5 Sleep 42593->42596 42596->42590 42598 407b96 VirtualFree 42597->42598 42597->42599 42598->42599 42599->42553 42600->42549 42601->42551 42603 40737a 42602->42603 42603->42563 42604->42563 42605->42563 42607 4073eb 42606->42607 42608 407405 VirtualFree 42607->42608 42609 40741a 42607->42609 42608->42609 42609->42599 42610->42597 42611 409090 42612 40909f 42611->42612 42614 4090d9 42611->42614 42615 4090a4 42612->42615 42616 4090be 42612->42616 42613 4090bc 42614->42613 42622 409330 8 API calls 42614->42622 42615->42613 42620 409330 8 API calls 42615->42620 42616->42613 42621 409330 8 API calls 42616->42621 42620->42613 42621->42613 42622->42613 42623 2d01160 42624 2d01177 VariantClear 42623->42624 42625 2d0118b 42623->42625 42638 2d00e80 42624->42638 42626 2d011a2 42625->42626 42627 2d01192 42625->42627 42630 2d011b9 42626->42630 42631 2d011a9 42626->42631 42629 2b8f930 8 API calls 42627->42629 42637 2d01186 42629->42637 42633 2d011d4 42630->42633 42634 2d011de 42630->42634 42630->42637 42632 2b8f8e0 8 API calls 42631->42632 42632->42637 42642 2d01060 61 API calls 42633->42642 42643 2d0ee50 24 API calls 42634->42643 42639 2d00e88 42638->42639 42640 2d00e8d 42638->42640 42644 2d00af0 59 API calls 42639->42644 42640->42637 42642->42637 42643->42637 42644->42640 42645 3207490 42646 32074a5 42645->42646 42651 3206fe0 42646->42651 42722 2cfd440 42651->42722 42653 3207016 42725 2bcc870 42653->42725 42723 2b9e5c0 42722->42723 42724 2cfd450 LoadLibraryW LoadLibraryW 42723->42724 42724->42653 42726 2bcca31 42725->42726 42727 2b8f8e0 8 API calls 42726->42727 42728 2bcca3d 42727->42728 44134 2b90580 42728->44134 42735 2b90580 8 API calls 42736 2bccb6d 42735->42736 42737 2b90580 8 API calls 42736->42737 42738 2bccb84 42737->42738 42739 2bcafd0 8 API calls 42738->42739 42740 2bccb96 42739->42740 42741 2bcafd0 8 API calls 42740->42741 42742 2bccba8 42741->42742 44165 2b90af0 42742->44165 42745 2b90580 8 API calls 42746 2bccc4a 42745->42746 42747 2bcafd0 8 API calls 42746->42747 42748 2bccc5c 42747->42748 42749 2b90af0 8 API calls 42748->42749 42750 2bccc88 42749->42750 42751 2b90580 8 API calls 42750->42751 42752 2bccd74 42751->42752 42753 2b90580 8 API calls 42752->42753 42754 2bccd8b 42753->42754 42755 2b90580 8 API calls 42754->42755 42756 2bccda2 42755->42756 42757 2bcafd0 8 API calls 42756->42757 42758 2bccdb4 42757->42758 42759 2bcafd0 8 API calls 42758->42759 42760 2bccdc6 42759->42760 42761 2bcafd0 8 API calls 42760->42761 42762 2bccdd8 42761->42762 42763 2b90af0 8 API calls 42762->42763 42764 2bcce34 42763->42764 42765 2b90580 8 API calls 42764->42765 42766 2bcce92 42765->42766 42767 2bcafd0 8 API calls 42766->42767 42768 2bccea4 42767->42768 42769 2bcafd0 8 API calls 42768->42769 42770 2bcceb6 42769->42770 42771 2bcafd0 8 API calls 42770->42771 42772 2bccec8 42771->42772 42773 2bcafd0 8 API calls 42772->42773 42774 2bcceda 42773->42774 42775 2b90af0 8 API calls 42774->42775 42776 2bccf2a 42775->42776 42777 2b90580 8 API calls 42776->42777 42778 2bccfcf 42777->42778 42779 2b90580 8 API calls 42778->42779 42780 2bccfe6 42779->42780 42781 2bcafd0 8 API calls 42780->42781 42782 2bccff8 42781->42782 42783 2bcafd0 8 API calls 42782->42783 42784 2bcd00a 42783->42784 42785 2bcafd0 8 API calls 42784->42785 42786 2bcd01c 42785->42786 42787 2b90af0 8 API calls 42786->42787 42788 2bcd06c 42787->42788 42789 2b90580 8 API calls 42788->42789 42790 2bcd0ca 42789->42790 42791 2bcafd0 8 API calls 42790->42791 42792 2bcd0dc 42791->42792 42793 2b90af0 8 API calls 42792->42793 42794 2bcd108 42793->42794 42795 2b90580 8 API calls 42794->42795 42796 2bcd166 42795->42796 42797 2bcafd0 8 API calls 42796->42797 42798 2bcd175 42797->42798 42799 2b90af0 8 API calls 42798->42799 42800 2bcd19e 42799->42800 42801 2b90580 8 API calls 42800->42801 42802 2bcd1f9 42801->42802 42803 2bcafd0 8 API calls 42802->42803 42804 2bcd204 42803->42804 42805 2bcafd0 8 API calls 42804->42805 42806 2bcd213 42805->42806 42807 2bcafd0 8 API calls 42806->42807 42808 2bcd222 42807->42808 42809 2b90af0 8 API calls 42808->42809 42810 2bcd25a 42809->42810 42811 2b8f930 8 API calls 42810->42811 42812 2bcd267 42811->42812 42813 2b8f930 8 API calls 42812->42813 42814 2bcd273 42813->42814 42815 2b8f930 8 API calls 42814->42815 42816 2bcd27f 42815->42816 42817 2b8f930 8 API calls 42816->42817 42818 2bcd28b 42817->42818 42819 2b8f930 8 API calls 42818->42819 42820 2bcd297 42819->42820 42821 2b8f930 8 API calls 42820->42821 42822 2bcd2a3 42821->42822 42823 2b8f930 8 API calls 42822->42823 42824 2bcd2af 42823->42824 42825 2b8f930 8 API calls 42824->42825 42826 2bcd2bb 42825->42826 42827 2b8f9f0 8 API calls 42826->42827 42828 2bcd30c 42827->42828 42829 2b8f9f0 8 API calls 42828->42829 42830 2bcd31e 42829->42830 42831 31e5f80 42830->42831 42832 31e67f7 42831->42832 42833 31e6803 InitializeCriticalSection 42832->42833 44222 31ff7e0 42833->44222 42835 31e681d 42836 2dbb860 40 API calls 42835->42836 42837 31e688a 42836->42837 44228 31dc1e0 42837->44228 42840 31e68ed 42843 2dbb860 40 API calls 42840->42843 42842 31e68c0 42845 2dbb860 40 API calls 42842->42845 42844 31e6913 42843->42844 42846 31dc1e0 42 API calls 42844->42846 42845->42840 42847 31e6932 42846->42847 42848 31e6976 42847->42848 44590 31afd70 59 API calls 42847->44590 44242 2f85960 42848->44242 42851 31e6949 42852 2dbb860 40 API calls 42851->42852 42852->42848 42853 31e6989 44248 31e0220 42853->44248 42856 31dda30 25 API calls 42857 31e69d5 42856->42857 42858 2b8ff30 8 API calls 42857->42858 42859 31e69e8 42858->42859 44252 31dd5a0 42859->44252 42862 2b8ff30 8 API calls 42863 31e6a07 42862->42863 44259 2b91de0 42863->44259 42867 31e6a2d 44266 2db89c0 42867->44266 42869 31e6bd0 42870 2db89c0 42 API calls 42869->42870 42871 31e6be5 42870->42871 42872 2db89c0 42 API calls 42871->42872 42873 31e6bfa 42872->42873 42874 2db89c0 42 API calls 42873->42874 42875 31e6c0f 42874->42875 44270 313ab50 42875->44270 42877 31e6c24 42878 2db89c0 42 API calls 42877->42878 42879 31e6c39 42878->42879 42880 2db89c0 42 API calls 42879->42880 42881 31e6c4e 42880->42881 42882 2db89c0 42 API calls 42881->42882 42883 31e6c63 42882->42883 42884 2db89c0 42 API calls 42883->42884 42885 31e6c78 42884->42885 42886 2db89c0 42 API calls 42885->42886 42887 31e6cb7 42886->42887 44274 3148a90 42887->44274 42889 31e6ccc 44278 31dd4d0 42889->44278 44168 2b8fc50 44134->44168 44137 2bcafd0 44180 2bb1ff0 44137->44180 44142 2b8f8e0 8 API calls 44143 2bcb00e 44142->44143 44144 2b90820 44143->44144 44145 2b90842 44144->44145 44146 2b90854 44144->44146 44203 2b90050 8 API calls 44145->44203 44148 2b9085c 44146->44148 44149 2b90870 44146->44149 44204 2b90050 8 API calls 44148->44204 44152 2b9087d 44149->44152 44153 2b9088f 44149->44153 44150 2b9084f 44150->42735 44205 2b90720 8 API calls 44152->44205 44155 2b90898 44153->44155 44156 2b9091c 44153->44156 44157 2b908c3 44155->44157 44206 2b8c110 8 API calls 44155->44206 44207 2b90050 8 API calls 44156->44207 44161 2b8f810 8 API calls 44157->44161 44160 2b9092b 44208 2b90720 8 API calls 44160->44208 44163 2b908d1 44161->44163 44164 2b8f930 8 API calls 44163->44164 44164->44150 44209 2b90950 44165->44209 44173 2b8f810 44168->44173 44170 2b8fc6c 44171 2b8f930 8 API calls 44170->44171 44172 2b8fc8a 44171->44172 44172->44137 44174 2b8f820 44173->44174 44178 2b8f844 44173->44178 44175 2b8f82d 44174->44175 44179 2b8c110 8 API calls 44174->44179 44177 2b89150 8 API calls 44175->44177 44177->44178 44178->44170 44179->44175 44181 2bb200b 44180->44181 44182 2bb1ffc 44180->44182 44193 2bb1af0 8 API calls 44181->44193 44192 2bb1af0 8 API calls 44182->44192 44185 2bb2009 44186 2b90f30 44185->44186 44187 2b90f39 44186->44187 44188 2b90f40 44186->44188 44189 2b8f930 8 API calls 44187->44189 44194 2b8fe80 44188->44194 44191 2b90f3e 44189->44191 44191->44142 44192->44185 44193->44185 44195 2b8fe9d 44194->44195 44197 2b8fea9 44194->44197 44196 2b8f930 8 API calls 44195->44196 44200 2b8fea7 44196->44200 44202 2b90e70 8 API calls 44197->44202 44199 2b8fee1 44199->44200 44201 2b8f930 8 API calls 44199->44201 44200->44191 44201->44200 44202->44199 44203->44150 44204->44150 44205->44150 44206->44157 44207->44160 44208->44150 44215 2b9097a 44209->44215 44210 2b90a16 44211 2b90a1c 44210->44211 44212 2b90a47 44210->44212 44221 2b90e70 8 API calls 44211->44221 44214 2b8f810 8 API calls 44212->44214 44218 2b90a37 44214->44218 44215->44210 44220 2b8c110 8 API calls 44215->44220 44217 2b90ace 44217->42745 44218->44217 44219 2b8f930 8 API calls 44218->44219 44219->44217 44220->44215 44221->44218 44223 31ff802 44222->44223 44591 3203500 44223->44591 44225 31ff826 44594 31ff8c0 44225->44594 44227 31ff835 44227->42835 44232 31dc217 44228->44232 44229 2b8f930 8 API calls 44230 31dc5e6 44229->44230 44230->42840 44589 31afd70 59 API calls 44230->44589 44231 31dc300 44231->44229 44232->44231 44614 31d6fa0 CryptImportKey 44232->44614 44243 2f85981 44242->44243 44247 2f859c5 44243->44247 44615 31e3ca0 44243->44615 44246 31e3ca0 38 API calls 44246->44247 44247->42853 44249 31e023b 44248->44249 44671 2b90660 44249->44671 44253 2b89150 8 API calls 44252->44253 44254 31dd5c0 44253->44254 44675 2b91820 44254->44675 44257 2b89180 8 API calls 44258 31dd5e7 44257->44258 44258->42862 44260 2b91df2 44259->44260 44261 2b8fba0 8 API calls 44260->44261 44262 2b91e31 44261->44262 44263 2e4b2a0 44262->44263 44679 2cfcac0 44263->44679 44267 2db89da 44266->44267 44732 2db4f80 44267->44732 44269 2db89f8 44269->42869 44271 313ab6a 44270->44271 44272 2b8ff30 8 API calls 44271->44272 44273 313abc0 44272->44273 44273->42877 44275 3148aaa 44274->44275 44743 314f380 44275->44743 44277 3148ad6 44277->42889 44279 2b8f980 SysFreeString 44278->44279 44280 31dd4ec 44279->44280 44281 2b89150 8 API calls 44280->44281 44282 31dd4f8 44281->44282 44756 31d6ec0 SHGetPathFromIDListW 44282->44756 44589->42842 44590->42851 44598 2d851f0 44591->44598 44593 3203523 44593->44225 44595 31ff8e6 44594->44595 44596 3203500 8 API calls 44595->44596 44597 31ff974 44595->44597 44596->44597 44597->44227 44599 2d851fe 44598->44599 44600 2d85245 44598->44600 44608 2d85243 44599->44608 44610 2d83af0 8 API calls 44599->44610 44601 2d8524d 44600->44601 44602 2d85253 44600->44602 44603 2d8526b 44601->44603 44607 2d85251 44601->44607 44611 2d84370 8 API calls 44602->44611 44613 2b89450 8 API calls 44603->44613 44612 2d843e0 8 API calls 44607->44612 44608->44593 44610->44608 44611->44608 44612->44608 44613->44608 44616 31e3d0e 44615->44616 44617 2f859ae 44615->44617 44618 31e3d7b GetProcessHeap 44616->44618 44619 31e3d47 VirtualAlloc 44616->44619 44617->44246 44620 31e3d95 44618->44620 44619->44617 44619->44618 44621 31e3da6 VirtualFree 44620->44621 44622 31e3dc0 44620->44622 44621->44617 44623 31e3ddb VirtualAlloc 44622->44623 44624 31e3e38 44623->44624 44642 31e2d60 44624->44642 44628 31e3e7b 44649 31e3bc0 44628->44649 44632 31e3ede 44633 31e3ee7 44632->44633 44634 31e3ee2 44632->44634 44653 31e30d0 44633->44653 44661 31e2c70 8 API calls 44634->44661 44639 31e3efc 44640 31e3f11 44639->44640 44663 31e2c70 8 API calls 44639->44663 44640->44617 44643 31e2e9b 44642->44643 44645 31e2dd0 44642->44645 44643->44628 44659 31e2c70 8 API calls 44643->44659 44644 31e2e67 VirtualAlloc 44644->44643 44644->44645 44645->44643 44645->44644 44646 31e2df6 VirtualAlloc 44645->44646 44647 31e2e27 44646->44647 44648 31e2e30 44646->44648 44647->44643 44648->44645 44651 31e3bd8 44649->44651 44650 31e3c67 44660 31e3540 29 API calls 44650->44660 44651->44650 44652 31e3c17 RtlAddFunctionTable 44651->44652 44652->44650 44658 31e3145 44653->44658 44654 31e3288 44655 31e2f90 2 API calls 44654->44655 44656 31e324e 44655->44656 44656->44639 44662 31e2c70 8 API calls 44656->44662 44658->44654 44658->44656 44664 31e2f90 44658->44664 44659->44628 44660->44632 44661->44633 44662->44639 44663->44640 44665 31e2faa 44664->44665 44666 31e2fb3 44664->44666 44665->44658 44667 31e3027 VirtualProtect 44666->44667 44669 31e2fc2 44666->44669 44667->44665 44669->44665 44670 31e3004 VirtualFree 44669->44670 44670->44665 44672 2b9066c 44671->44672 44673 2b8fc50 8 API calls 44672->44673 44674 2b9068a 44673->44674 44674->42856 44676 2b91834 44675->44676 44677 2b8fba0 8 API calls 44676->44677 44678 2b91842 44677->44678 44678->44257 44688 2b900d0 44679->44688 44684 2cfcb0a 44686 2b8f930 8 API calls 44684->44686 44685 2cfcb00 GetNativeSystemInfo 44685->44684 44687 2cfcb14 44686->44687 44687->42867 44689 2b900eb 44688->44689 44690 2b8f930 8 API calls 44689->44690 44691 2b90107 44690->44691 44692 2cfd4d0 44691->44692 44693 2cfd4ed 44692->44693 44694 2cfd54e 44693->44694 44695 2cfd4fa 44693->44695 44696 2cfd577 44694->44696 44697 2cfd553 44694->44697 44698 2cfd664 LoadLibraryW 44695->44698 44699 2cfd503 44695->44699 44703 2cfd6e7 LoadLibraryW 44696->44703 44704 2cfd582 44696->44704 44701 2cfd55c 44697->44701 44702 2cfd6c7 LoadLibraryW 44697->44702 44700 2cfd725 44698->44700 44705 2cfd508 44699->44705 44706 2cfd533 44699->44706 44713 2cfd72f 44700->44713 44714 2cfd753 44700->44714 44711 2cfd687 LoadLibraryW 44701->44711 44712 2cfd567 44701->44712 44702->44700 44703->44700 44704->44700 44715 2cfd58d LoadLibraryW 44704->44715 44707 2cfd5fb LoadLibraryW 44705->44707 44708 2cfd511 44705->44708 44709 2cfd61e LoadLibraryW 44706->44709 44710 2cfd53e 44706->44710 44707->44700 44716 2cfd518 44708->44716 44717 2cfd592 LoadLibraryW 44708->44717 44709->44700 44710->44700 44718 2cfd549 LoadLibraryW 44710->44718 44711->44700 44712->44700 44719 2cfd572 LoadLibraryW 44712->44719 44731 2cfd8a0 9 API calls 44713->44731 44724 2b8f930 8 API calls 44714->44724 44715->44700 44722 2cfd5b5 LoadLibraryW 44716->44722 44723 2cfd523 44716->44723 44717->44700 44718->44700 44719->44700 44722->44700 44723->44700 44728 2cfd52e LoadLibraryW 44723->44728 44729 2cfcafc 44724->44729 44727 2cfd73c 44727->44714 44728->44700 44729->44684 44729->44685 44731->44727 44733 2db4f9a 44732->44733 44738 2bc6620 44733->44738 44735 2db4fbd 44736 2b8ff30 8 API calls 44735->44736 44737 2db4fd9 44736->44737 44737->44269 44739 2bc664f 44738->44739 44740 2bc662e 44738->44740 44739->44735 44742 2bc8920 42 API calls 44740->44742 44742->44739 44744 314f3a2 44743->44744 44749 3155160 44744->44749 44746 314f3c6 44752 314f460 44746->44752 44748 314f3d5 44748->44277 44750 2d851f0 8 API calls 44749->44750 44751 3155183 44750->44751 44751->44746 44753 314f486 44752->44753 44754 3155160 8 API calls 44753->44754 44755 314f514 44753->44755 44754->44755 44755->44748 44757 32d1820 44756->44757 45506 407f90 45507 407620 4 API calls 45506->45507 45508 407fa9 45507->45508 45509 2e4c670 45510 2e4c6a8 45509->45510 45511 2b8f8e0 8 API calls 45510->45511 45512 2e4c6b9 45511->45512 45531 2cfbc80 45512->45531 45515 2e4c82e 45517 2b8f8e0 8 API calls 45515->45517 45516 2b89150 8 API calls 45530 2e4c707 45516->45530 45518 2e4c838 45517->45518 45519 2b8f8e0 8 API calls 45518->45519 45521 2e4c844 45519->45521 45520 2e4c81b 45522 2b89180 8 API calls 45520->45522 45524 2e4c825 45522->45524 45526 2cfbf20 22 API calls 45524->45526 45526->45515 45527 2b8fba0 8 API calls 45527->45530 45528 2b8ff30 8 API calls 45528->45530 45529 2b91cf0 8 API calls 45529->45530 45530->45520 45530->45527 45530->45528 45530->45529 45540 2cfc1e0 45530->45540 45549 2cfc2d0 45530->45549 45532 2b900d0 8 API calls 45531->45532 45533 2cfbcb1 45532->45533 45534 2cfd4d0 21 API calls 45533->45534 45535 2cfbcc8 45534->45535 45536 2cfbcee 45535->45536 45537 2cfbccc RegOpenKeyExW 45535->45537 45538 2b8f930 8 API calls 45536->45538 45537->45536 45539 2cfbcf8 45538->45539 45539->45515 45539->45516 45541 2b900d0 8 API calls 45540->45541 45542 2cfc210 45541->45542 45543 2cfd4d0 21 API calls 45542->45543 45544 2cfc227 45543->45544 45545 2cfc22b RegEnumKeyExW 45544->45545 45546 2cfc273 45544->45546 45545->45546 45547 2b8f930 8 API calls 45546->45547 45548 2cfc27d 45547->45548 45548->45530 45550 2b900d0 8 API calls 45549->45550 45551 2cfc300 45550->45551 45552 2cfd4d0 21 API calls 45551->45552 45553 2cfc317 45552->45553 45554 2cfc31b RegEnumValueW 45553->45554 45555 2cfc363 45553->45555 45554->45555 45556 2b8f930 8 API calls 45555->45556 45557 2cfc36d 45556->45557 45557->45530 45558 2b98a00 45559 2b98a2d 45558->45559 45566 2b98a67 45558->45566 45560 2b98a69 45559->45560 45561 2b98a37 45559->45561 45563 2b91820 8 API calls 45560->45563 45567 2b94980 45561->45567 45563->45566 45564 2b98a42 45565 2b8fba0 8 API calls 45564->45565 45565->45566 45568 2b94990 45567->45568 45569 2b949aa 45567->45569 45568->45569 45571 2b94920 45568->45571 45569->45564 45572 2b94955 45571->45572 45573 2b94936 45571->45573 45572->45569 45575 2b96190 GetModuleFileNameW 45573->45575 45576 2b91880 8 API calls 45575->45576 45577 2b961e4 45576->45577 45578 2b91820 8 API calls 45577->45578 45579 2b961f1 45578->45579 45586 2b95f60 45579->45586 45581 2b8f9c0 8 API calls 45582 2b96237 45581->45582 45583 2b8f8e0 8 API calls 45582->45583 45585 2b96240 45583->45585 45584 2b96202 45584->45581 45585->45572 45587 2b95fc6 45586->45587 45588 2b8f8e0 8 API calls 45587->45588 45589 2b95fdc 45588->45589 45607 2b9607e 45589->45607 45623 2b8ffb0 8 API calls 45589->45623 45590 2b8f9c0 8 API calls 45592 2b9612f 45590->45592 45593 2b8f9c0 8 API calls 45592->45593 45595 2b96141 45593->45595 45594 2b95ffa 45596 2b9603c 45594->45596 45598 2b91de0 8 API calls 45594->45598 45595->45584 45624 2b95b90 45596->45624 45598->45596 45600 2b9605d 45634 2b95d20 10 API calls 45600->45634 45601 2b96083 45635 2b95320 21 API calls 45601->45635 45603 2b96071 45604 2b8ff30 8 API calls 45603->45604 45604->45607 45606 2b96093 45636 2b95d20 10 API calls 45606->45636 45607->45590 45609 2b960a7 45610 2b8ff30 8 API calls 45609->45610 45611 2b960b4 45610->45611 45612 2b960f8 45611->45612 45613 2b960c7 GetSystemDefaultUILanguage 45611->45613 45612->45607 45614 2b96102 45612->45614 45637 2b95320 21 API calls 45613->45637 45639 2b95e40 12 API calls 45614->45639 45617 2b960d7 45638 2b95d20 10 API calls 45617->45638 45618 2b96112 45619 2b8ff30 8 API calls 45618->45619 45619->45607 45621 2b960eb 45622 2b8ff30 8 API calls 45621->45622 45622->45612 45623->45594 45625 2b95bc9 45624->45625 45626 2b95bb3 45624->45626 45628 2b91820 8 API calls 45625->45628 45640 2b95760 45626->45640 45630 2b95bd9 45628->45630 45632 2b8f8e0 8 API calls 45630->45632 45633 2b95be3 45632->45633 45633->45600 45633->45601 45634->45603 45635->45606 45636->45609 45637->45617 45638->45621 45639->45618 45641 2b95789 45640->45641 45642 2b95794 GetModuleFileNameW 45641->45642 45643 2b957a8 45641->45643 45642->45643 45644 2b957d1 RegOpenKeyExW 45643->45644 45662 2b95a2a 45643->45662 45645 2b9580c RegOpenKeyExW 45644->45645 45646 2b958f4 45644->45646 45645->45646 45648 2b9583c RegOpenKeyExW 45645->45648 45669 2b95510 lstrlenW 45646->45669 45647 2b8f8e0 8 API calls 45650 2b95a37 45647->45650 45648->45646 45651 2b9586c RegOpenKeyExW 45648->45651 45668 2b95c10 8 API calls 45650->45668 45651->45646 45653 2b95898 RegOpenKeyExW 45651->45653 45652 2b95908 RegQueryValueExW 45654 2b95934 45652->45654 45655 2b95987 RegQueryValueExW 45652->45655 45653->45646 45658 2b958c4 RegOpenKeyExW 45653->45658 45659 2b89150 8 API calls 45654->45659 45656 2b95982 45655->45656 45657 2b959b6 45655->45657 45661 2b95a1e RegCloseKey 45656->45661 45665 2b89180 8 API calls 45656->45665 45660 2b89150 8 API calls 45657->45660 45658->45646 45658->45662 45663 2b9593d RegQueryValueExW 45659->45663 45664 2b959bf RegQueryValueExW 45660->45664 45661->45662 45662->45647 45666 2b91820 8 API calls 45663->45666 45667 2b91820 8 API calls 45664->45667 45665->45661 45666->45656 45667->45656 45668->45625 45669->45652 45670 2bbafe0 45671 2bbb00b 45670->45671 45672 2bbb012 FormatMessageW 45670->45672 45671->45672 45673 2bbb048 45672->45673 45674 2b8fba0 8 API calls 45673->45674 45675 2bbb081 LocalFree 45674->45675 45676 2cfbfb0 45677 2b900d0 8 API calls 45676->45677 45678 2cfbfe1 45677->45678 45679 2cfd4d0 21 API calls 45678->45679 45680 2cfbff8 45679->45680 45681 2cfbffc RegQueryValueExW 45680->45681 45682 2cfc027 45680->45682 45681->45682 45683 2b8f930 8 API calls 45682->45683 45684 2cfc031 45683->45684

                                                                                                    Executed Functions

                                                                                                    Function 031DB300 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 231windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CompatibleCreateDeleteObject$BitmapSelectStretchWindow$BitsDesktopMetricsModeRectReleaseSystem
                                                                                                    • String ID: $
                                                                                                    • API String ID: 2533549768-227171996
                                                                                                    • Opcode ID: e142d8d1b97033eed90c1ed24998601a971127803ee175d60fd6ad802c57c980
                                                                                                    • Instruction ID: 3f21f2cbde080350faf385023dc6a1da1e88751cff5a24f838b3ca4da725bf0b
                                                                                                    • Opcode Fuzzy Hash: e142d8d1b97033eed90c1ed24998601a971127803ee175d60fd6ad802c57c980
                                                                                                    • Instruction Fuzzy Hash: 88C18876211AC4CEDB70DF26D890BDE37A1F789B88F408516CA4E8BB29DB74C644CB54
                                                                                                    Function 00413460 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 149registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                    • API String ID: 2701450724-3496071916
                                                                                                    • Opcode ID: 7ade3a95225c056846df00e56e791a7fb267f3fc65bc21e65bce8b5e4d9c48e7
                                                                                                    • Instruction ID: 4becd74f4cbef4d0ffe516b0d7dc880996d4af499f980d432614694359d8a286
                                                                                                    • Opcode Fuzzy Hash: 7ade3a95225c056846df00e56e791a7fb267f3fc65bc21e65bce8b5e4d9c48e7
                                                                                                    • Instruction Fuzzy Hash: 1B612AB2204FC198DB30DF61E8943DA23A8F78578DF50412AAA4D5BB59EF38C754C349
                                                                                                    Function 02B95760 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 149registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                    • API String ID: 2701450724-3496071916
                                                                                                    • Opcode ID: 031637972bb968aeb48e8b6addb9fc4708b3a02e05f4c42501ef9ac1e3d719c8
                                                                                                    • Instruction ID: 93ce69bb4ebcc710bceeacd33dd6d087aeaa4077ddba59f15152aa2915e0f973
                                                                                                    • Opcode Fuzzy Hash: 031637972bb968aeb48e8b6addb9fc4708b3a02e05f4c42501ef9ac1e3d719c8
                                                                                                    • Instruction Fuzzy Hash: 1861E832244BC589DF30EF61E8983DA23AAF78978DF901165DA4D4BA29EF74C248C744
                                                                                                    Function 03206FE0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 217threadsleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD440: LoadLibraryW.KERNEL32 ref: 02CFD45E
                                                                                                      • Part of subcall function 02CFD440: LoadLibraryW.KERNEL32 ref: 02CFD471
                                                                                                      • Part of subcall function 031DD2D0: GetModuleFileNameW.KERNEL32 ref: 031DD30B
                                                                                                    • ExitProcess.KERNEL32 ref: 03207071
                                                                                                      • Part of subcall function 031F0B40: Sleep.KERNEL32 ref: 031F0C42
                                                                                                      • Part of subcall function 031F0B40: Sleep.KERNEL32 ref: 031F0C60
                                                                                                      • Part of subcall function 031F0B40: GetModuleHandleW.KERNEL32 ref: 031F0CBF
                                                                                                    • Sleep.KERNEL32 ref: 03207110
                                                                                                    • FindWindowW.USER32 ref: 03207144
                                                                                                    • ExitProcess.KERNEL32 ref: 0320716A
                                                                                                    • SetThreadPriority.KERNEL32 ref: 0320726A
                                                                                                    • ResumeThread.KERNEL32 ref: 03207273
                                                                                                      • Part of subcall function 031F0730: Sleep.KERNEL32 ref: 031F0882
                                                                                                    • ExitProcess.KERNEL32 ref: 032073BD
                                                                                                      • Part of subcall function 02B8F980: SysFreeString.OLEAUT32 ref: 02B8F9A3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Sleep$ExitProcess$LibraryLoadModuleThread$FileFindFreeHandleNamePriorityResumeStringWindow
                                                                                                    • String ID: Install$start.bmp
                                                                                                    • API String ID: 468556231-3890089039
                                                                                                    • Opcode ID: e20b834c66bf72810176ba3c5aea33edc0bc8c54e4616edb835fd44878655159
                                                                                                    • Instruction ID: 2c1c1d5b70a7e2007ad4fab675a7f498806178762f4bc06473a0df9f32d600eb
                                                                                                    • Opcode Fuzzy Hash: e20b834c66bf72810176ba3c5aea33edc0bc8c54e4616edb835fd44878655159
                                                                                                    • Instruction Fuzzy Hash: FEA15D36210B4489EB05EF79D8903ED37A6F788B98F444067EA4E4B768DF38C645C790
                                                                                                    Function 031E48B0 Relevance: 12.1, APIs: 8, Instructions: 92memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessToken$AllocateCloseCurrentEqualErrorFreeHandleInformationInitializeLastOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1525203095-0
                                                                                                    • Opcode ID: 446e1225aafa8eb83bd7f4a9918257a6a0bf7d4e9a063d75aa0938ca2bc13a85
                                                                                                    • Instruction ID: fa8b15092fd27c19dfb203795651ca2ed674752e5127a4dc5191e0dddc6badef
                                                                                                    • Opcode Fuzzy Hash: 446e1225aafa8eb83bd7f4a9918257a6a0bf7d4e9a063d75aa0938ca2bc13a85
                                                                                                    • Instruction Fuzzy Hash: F541E072204BC18EEB70EF32D8457DA37A5F389758F004129CA8D4BB49DF798288CB45
                                                                                                    Function 031E3CA0 Relevance: 5.1, APIs: 4, Instructions: 147memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 528 31e3ca0-31e3d08 529 31e3d0e-31e3d45 call 2b9e8d0 528->529 530 31e3f96-31e3fa5 528->530 533 31e3d7b-31e3da4 GetProcessHeap call 31d6ed0 529->533 534 31e3d47-31e3d75 VirtualAlloc 529->534 537 31e3da6-31e3dbb VirtualFree 533->537 538 31e3dc0-31e3e74 call 2b9e2a0 VirtualAlloc call 2b89590 call 31e2d60 533->538 534->530 534->533 537->530 545 31e3e7b-31e3e9d 538->545 546 31e3e76 call 31e2c70 538->546 548 31e3e9f-31e3eb9 call 31e33f0 545->548 549 31e3ebb-31e3ec2 545->549 546->545 551 31e3ec6-31e3ed2 call 31e3bc0 548->551 549->551 555 31e3ed9 call 31e3540 551->555 556 31e3ede-31e3ee0 555->556 557 31e3ee7-31e3eee call 31e30d0 556->557 558 31e3ee2 call 31e2c70 556->558 561 31e3ef3-31e3ef5 557->561 558->557 562 31e3efc-31e3f0a call 31e3310 561->562 563 31e3ef7 call 31e2c70 561->563 567 31e3f0c call 31e2c70 562->567 568 31e3f11-31e3f1f 562->568 563->562 567->568 570 31e3f69-31e3f77 568->570 571 31e3f21-31e3f5c 568->571 570->530 571->530 573 31e3f5e-31e3f65 571->573 573->570
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32 ref: 031E3D61
                                                                                                    • GetProcessHeap.KERNEL32 ref: 031E3D7B
                                                                                                    • VirtualFree.KERNEL32 ref: 031E3DB6
                                                                                                    • VirtualAlloc.KERNEL32 ref: 031E3E07
                                                                                                      • Part of subcall function 031E2D60: VirtualAlloc.KERNEL32 ref: 031E2E17
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Alloc$FreeHeapProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 719661961-0
                                                                                                    • Opcode ID: bcd123fef7375855e003a27483dec7b09509e37434e0eee1d1b1c16d01cb3b32
                                                                                                    • Instruction ID: a626e7d9e299dcd218a197da1be55fff9668632301744cc6ed2e0aff2d91a8b9
                                                                                                    • Opcode Fuzzy Hash: bcd123fef7375855e003a27483dec7b09509e37434e0eee1d1b1c16d01cb3b32
                                                                                                    • Instruction Fuzzy Hash: 7C71AD3A200BC48EDBB0DF26D8907D93764F789B98F148456CA9D4BB68DF36C689C341
                                                                                                    Function 00413B40 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserDefaultUILanguage.KERNEL32 ref: 00413B6E
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 00413B87
                                                                                                      • Part of subcall function 00413990: FindFirstFileW.KERNEL32 ref: 004139C2
                                                                                                      • Part of subcall function 00413990: FindClose.KERNEL32 ref: 004139DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 3216391948-0
                                                                                                    • Opcode ID: 611bbe8fcb696edeeafcc5f7ff2a317914d6dc5741a7ffd85a16010cbc820f6f
                                                                                                    • Instruction ID: 292d52a8304f6cf8ab8f430e3f2a0195ac2bdc75b3aeec1a29b4aa6f310b2601
                                                                                                    • Opcode Fuzzy Hash: 611bbe8fcb696edeeafcc5f7ff2a317914d6dc5741a7ffd85a16010cbc820f6f
                                                                                                    • Instruction Fuzzy Hash: 6D21F576220A4189DB10EF36C8913D92760FB88BDCF50252BFA4E57B59CF38C5858784
                                                                                                    Function 00413990 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 2295610775-0
                                                                                                    • Opcode ID: 6f0bc05c66a0ddd75a871b086dca689025409068fde9ab6ddbc2cf3fcbe48956
                                                                                                    • Instruction ID: fc9851363eee4d35118c9d352aae42b6ee6f2a3e2a778567fb8ba57b981f0a49
                                                                                                    • Opcode Fuzzy Hash: 6f0bc05c66a0ddd75a871b086dca689025409068fde9ab6ddbc2cf3fcbe48956
                                                                                                    • Instruction Fuzzy Hash: 77F089223129C089CB71FF32D8953ED3311DB4676CF08573AA66E1BBE5DD25C6558704
                                                                                                    Function 02B95C90 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 2295610775-0
                                                                                                    • Opcode ID: 6d90fa00a24bb7c0df1951677107dcdf8d930462e462c1d10a482571dffe8038
                                                                                                    • Instruction ID: 6720fab0e239de6e77c92191b9ecd8bf8912cc0c3406ec327b6df74d31e9c6b4
                                                                                                    • Opcode Fuzzy Hash: 6d90fa00a24bb7c0df1951677107dcdf8d930462e462c1d10a482571dffe8038
                                                                                                    • Instruction Fuzzy Hash: CEF05E262029C089CF71BF30C8A43E82722EB467ACF5813A1D66D0BAE4DE10C695DB00
                                                                                                    Function 031E4AB0 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTimeZoneInformation.KERNEL32 ref: 031E4ACE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: InformationTimeZone
                                                                                                    • String ID:
                                                                                                    • API String ID: 565725191-0
                                                                                                    • Opcode ID: 04db01c130ec518c0e7cda74218f660d94ac8ff6d9462e9ecd5653adf95b141a
                                                                                                    • Instruction ID: f481f15191d5cdc4e41ab52561fd6bdcbc9a45bdc21c10a1e483357af655c906
                                                                                                    • Opcode Fuzzy Hash: 04db01c130ec518c0e7cda74218f660d94ac8ff6d9462e9ecd5653adf95b141a
                                                                                                    • Instruction Fuzzy Hash: 48119372600591CFD7A8CF3AC880B983BE4E34835CF50A42AB61BCBB58D671D9828F44
                                                                                                    Function 031DC1E0 Relevance: .3, Instructions: 252COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e67d6cc026181feb361887bf6cd4a0c118851b2dc548eb929cf7f52a2160ae21
                                                                                                    • Instruction ID: 3c7f233509c6566b64b3f2013952ddfc50023061189be9557d2a09e92a69d1d8
                                                                                                    • Opcode Fuzzy Hash: e67d6cc026181feb361887bf6cd4a0c118851b2dc548eb929cf7f52a2160ae21
                                                                                                    • Instruction Fuzzy Hash: 41B1C67A201F848ADB60DF76C89479E37A5F78AB98F448112DE4D8BB68DF38C549C740
                                                                                                    Function 031DBD10 Relevance: .2, Instructions: 224COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad80823733e1a30147a3939e6fd4000f6195e92ca26f7aec4b333f27722430cc
                                                                                                    • Instruction ID: be009db0918a91a3a4fdab6ffb87568183514466a238d5a4723f8e624d1695eb
                                                                                                    • Opcode Fuzzy Hash: ad80823733e1a30147a3939e6fd4000f6195e92ca26f7aec4b333f27722430cc
                                                                                                    • Instruction Fuzzy Hash: 8C910A3A201B848ADB60DF76D8907DE37A5F78AB98F448116DE4D8BB68DF38C644C744
                                                                                                    Function 004163D0 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f15bcea6c51cb1f5c493ca7f1bcebe5933ff2baa02b075701eeaa5281f91d76
                                                                                                    • Instruction ID: 58624ee24e25342257f2bf848bdb4711d7aae8261a22fd546761576b7fc313d3
                                                                                                    • Opcode Fuzzy Hash: 4f15bcea6c51cb1f5c493ca7f1bcebe5933ff2baa02b075701eeaa5281f91d76
                                                                                                    • Instruction Fuzzy Hash: 0CB09222B288C083C911FB04D84200A7231BBD070CFD00011E28942655CA2CCA268E04
                                                                                                    Function 031DE990 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 287COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02E4C270: IsTextUnicode.ADVAPI32 ref: 02E4C314
                                                                                                    • GetVolumeInformationW.KERNEL32 ref: 031DED32
                                                                                                    Strings
                                                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId, xrefs: 031DEC76
                                                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildGUID, xrefs: 031DEC31
                                                                                                    • INTEL, xrefs: 031DEB53
                                                                                                    • SOFTWARE\Microsoft\Cryptography\MachineGuid, xrefs: 031DEA93
                                                                                                    • HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier, xrefs: 031DEAD8
                                                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx, xrefs: 031DEBEC
                                                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate, xrefs: 031DED74
                                                                                                    • AMD , xrefs: 031DEB90
                                                                                                    • HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString, xrefs: 031DEB1D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: InformationTextUnicodeVolume
                                                                                                    • String ID: AMD $HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier$HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString$INTEL$SOFTWARE\Microsoft\Cryptography\MachineGuid$SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildGUID$SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx$SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate$SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId
                                                                                                    • API String ID: 368135902-1519853149
                                                                                                    • Opcode ID: 9addfc171481b9717211b51f1ea89e87cedc464a7ad88a5fb678d04eba1cd5ea
                                                                                                    • Instruction ID: eb66558b797f87c2e9afe961fa852b4484c89e3a57c4d163169ff24470bcb34c
                                                                                                    • Opcode Fuzzy Hash: 9addfc171481b9717211b51f1ea89e87cedc464a7ad88a5fb678d04eba1cd5ea
                                                                                                    • Instruction Fuzzy Hash: D6F1E032211EC099DB30EF75DCA03EA2366FB49799F905152DA4D4BB98EF74C249CB50
                                                                                                    Function 031DA990 Relevance: 13.6, APIs: 9, Instructions: 131COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8F980: SysFreeString.OLEAUT32 ref: 02B8F9A3
                                                                                                    • OpenProcessToken.ADVAPI32 ref: 031DA9FF
                                                                                                    • GetTokenInformation.ADVAPI32 ref: 031DAA2B
                                                                                                    • GetLastError.KERNEL32 ref: 031DAA38
                                                                                                    • GetTokenInformation.ADVAPI32 ref: 031DAA86
                                                                                                    • GetLastError.KERNEL32 ref: 031DAA93
                                                                                                    • CloseHandle.KERNEL32 ref: 031DAAAE
                                                                                                    • LookupAccountSidW.ADVAPI32 ref: 031DAAFC
                                                                                                    • LookupAccountSidW.ADVAPI32 ref: 031DAB75
                                                                                                    • CloseHandle.KERNEL32 ref: 031DABC7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Token$AccountCloseErrorHandleInformationLastLookup$FreeOpenProcessString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1376578906-0
                                                                                                    • Opcode ID: 422c7be46e371c5c8947a96fe0f9e29c0cac9278afd33d9dd48c4eb6d065c8df
                                                                                                    • Instruction ID: cdf6a594041500be80f8c9d86f9c5ba1f91f5091d4b778a069ba4ff07f53e4eb
                                                                                                    • Opcode Fuzzy Hash: 422c7be46e371c5c8947a96fe0f9e29c0cac9278afd33d9dd48c4eb6d065c8df
                                                                                                    • Instruction Fuzzy Hash: 83513432611A80DEDB20EF39D8407DA37A6F789788F448266EA4D47B6CDF34C685CB40
                                                                                                    Function 031E5660 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 28libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 381 31e5660-31e567d LoadLibraryW 382 31e56af-31e56ba 381->382 383 31e567f-31e56ad call 2b9e130 * 2 381->383 385 31e56c5-31e56ec LoadLibraryW call 2b9e130 382->385 383->385
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32 ref: 031E566F
                                                                                                    • LoadLibraryW.KERNEL32 ref: 031E56CC
                                                                                                      • Part of subcall function 02B9E130: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,031F621F), ref: 02B9E162
                                                                                                      • Part of subcall function 02B9E130: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,031F621F), ref: 02B9E18E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$QueryFullProcessImageNameW$kernel32.dll$psapi.dll
                                                                                                    • API String ID: 2574300362-2073759260
                                                                                                    • Opcode ID: 413eaea67b32c6142be40aec78ba1c714cdafbaa90f29517913ace8e262751a0
                                                                                                    • Instruction ID: 733a13295fa46f80a3f3cd4c2f51162b0dbf4e486dd6db2132544a4ae99220ff
                                                                                                    • Opcode Fuzzy Hash: 413eaea67b32c6142be40aec78ba1c714cdafbaa90f29517913ace8e262751a0
                                                                                                    • Instruction Fuzzy Hash: 7501B631520E00D5EB06EF20EC5039933AAF74938CF852926D54D4A234EF79C299C790
                                                                                                    Function 031E4F40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 412 31e4f40-31e4f6d LoadLibraryW 413 31e4f6f-31e4f89 call 2b9e130 412->413 414 31e4fb8-31e4fc2 412->414 417 31e4f9d-31e4fa3 413->417 418 31e4f8b-31e4f8f 413->418 417->414 419 31e4fa5-31e4fae FreeLibrary 417->419 420 31e4f95-31e4f9a 418->420 419->414 420->417
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32 ref: 031E4F5F
                                                                                                      • Part of subcall function 02B9E130: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,031F621F), ref: 02B9E162
                                                                                                    • FreeLibrary.KERNEL32 ref: 031E4FA9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: WTSRegisterSessionNotification$wtsapi32.dll
                                                                                                    • API String ID: 145871493-1656296286
                                                                                                    • Opcode ID: 4aab33e7e3db88c757f51ae48ac70191847589117bde096eb948af860390d713
                                                                                                    • Instruction ID: 90a6954d04e6c85c5889367e505f92271c17cfb0a88eb82f8c2885756f9ee24c
                                                                                                    • Opcode Fuzzy Hash: 4aab33e7e3db88c757f51ae48ac70191847589117bde096eb948af860390d713
                                                                                                    • Instruction Fuzzy Hash: 95010432500A44CEDB15DF39D8843EC3BA6E786B8CFA81465F64E46A58DF72C885C780
                                                                                                    Function 031F0B40 Relevance: 6.1, APIs: 4, Instructions: 123sleepwindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Sleep$CountHandleMessageModuleTick
                                                                                                    • String ID:
                                                                                                    • API String ID: 890451581-0
                                                                                                    • Opcode ID: bd746465e132b6e7da5d1e858ac310a7bcdfc9d881ad4325e8fc646f385784c2
                                                                                                    • Instruction ID: 4b853a41468ab1101fee7aa4426c0b865db37c37c07202f01349dcf2be68d679
                                                                                                    • Opcode Fuzzy Hash: bd746465e132b6e7da5d1e858ac310a7bcdfc9d881ad4325e8fc646f385784c2
                                                                                                    • Instruction Fuzzy Hash: 5F511D72514B808EEB25EF35D8503AE37AAF788388F0445B9D64E8BB59DF38D544CB90
                                                                                                    Function 00413020 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • RtlLeaveCriticalSection.NTDLL ref: 00413081
                                                                                                    • RtlEnterCriticalSection.NTDLL ref: 00413157
                                                                                                    • RtlLeaveCriticalSection.NTDLL ref: 00413190
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Leave$Enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 2978645861-0
                                                                                                    • Opcode ID: 7e96c0a2bb7fd7935685cd4a8eaa375bdbe1b8f557daf2a6f8199d0ffed28953
                                                                                                    • Instruction ID: d8bea0cd5c36857d6739a8ca0a452fdfd3df639d7d6f0dc136edb6438b297072
                                                                                                    • Opcode Fuzzy Hash: 7e96c0a2bb7fd7935685cd4a8eaa375bdbe1b8f557daf2a6f8199d0ffed28953
                                                                                                    • Instruction Fuzzy Hash: BA413872200A5098EB10EF72D8913A93721EB8478CF45652AFA4E97BA9DF79C584C394
                                                                                                    Function 031E3BC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 519 31e3bc0-31e3bf0 call 2b9e0e0 call 2b9e120 524 31e3c67-31e3c6c 519->524 525 31e3bf2-31e3c0b 519->525 525->524 526 31e3c0d-31e3c15 525->526 526->524 527 31e3c17-31e3c64 RtlAddFunctionTable 526->527 527->524
                                                                                                    APIs
                                                                                                    • RtlAddFunctionTable.KERNEL32 ref: 031E3C64
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FunctionTable
                                                                                                    • String ID: RtlAddFunctionTable$kernel32.dll
                                                                                                    • API String ID: 1252446317-3567194851
                                                                                                    • Opcode ID: b4fa1fd50b691b2685feb3a34845b582474ddeb860ef105b83a553b6ded40b73
                                                                                                    • Instruction ID: ecc33fb35ee412e12df48534ec4698d75c701b70d072d13842da7b87eb3f14b6
                                                                                                    • Opcode Fuzzy Hash: b4fa1fd50b691b2685feb3a34845b582474ddeb860ef105b83a553b6ded40b73
                                                                                                    • Instruction Fuzzy Hash: D521B67A200F98CACB11CF29D88039837A5F388B98F459626EA5E47B28CF75C495C740
                                                                                                    Function 00407490 Relevance: 4.6, APIs: 3, Instructions: 111memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 574 407490-4074ba 575 4074c0-4074ce 574->575 576 4075c2-4075c9 574->576 579 4074d0 575->579 580 4074d3-4074f6 VirtualQuery 575->580 577 4075d4-4075e2 call 407620 576->577 578 4075cb-4075d2 576->578 581 407607-407616 577->581 590 4075e4-4075eb 577->590 578->581 579->580 583 407589-407597 call 407620 580->583 584 4074fc-407515 580->584 583->581 595 407599-4075a0 583->595 584->583 585 407517-40752c 584->585 588 407531-40754d VirtualAlloc 585->588 589 40752e 585->589 588->583 592 40754f-40756b VirtualAlloc 588->592 589->588 593 4075f1-407602 call 407070 call 4079f0 590->593 594 4075ed 590->594 592->583 596 40756d-407587 592->596 593->581 594->593 598 4075a2 595->598 599 4075a6-4075bb call 407070 call 4079f0 595->599 596->581 598->599 605 4075c0 599->605 605->581
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Alloc$Query
                                                                                                    • String ID:
                                                                                                    • API String ID: 2084729679-0
                                                                                                    • Opcode ID: 1e67f02e069ae276c5cfe0d8d24a91a6c55bfd769c44badefc8931ac297fac91
                                                                                                    • Instruction ID: 2587ffb0752887bf906c251a4a7cd2497d79d26b8ad91353b8286e42004b0a35
                                                                                                    • Opcode Fuzzy Hash: 1e67f02e069ae276c5cfe0d8d24a91a6c55bfd769c44badefc8931ac297fac91
                                                                                                    • Instruction Fuzzy Hash: 83310522B16A5450DE11DB17DA142AEA215A744FF8F440737AF3E2BFC8DB3DE442834A
                                                                                                    Function 02B875B0 Relevance: 4.6, APIs: 3, Instructions: 111memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 606 2b875b0-2b875da 607 2b875e0-2b875ee 606->607 608 2b876e2-2b876e9 606->608 609 2b875f0 607->609 610 2b875f3-2b87616 VirtualQuery 607->610 611 2b876eb-2b876f2 608->611 612 2b876f4-2b87702 call 2b87740 608->612 609->610 613 2b876a9-2b876b7 call 2b87740 610->613 614 2b8761c-2b87635 610->614 615 2b87727-2b87736 611->615 612->615 622 2b87704-2b8770b 612->622 613->615 627 2b876b9-2b876c0 613->627 614->613 617 2b87637-2b8764c 614->617 620 2b8764e 617->620 621 2b87651-2b8766d VirtualAlloc 617->621 620->621 621->613 624 2b8766f-2b8768b VirtualAlloc 621->624 625 2b8770d 622->625 626 2b87711-2b87722 call 2b87190 call 2b87b10 622->626 624->613 628 2b8768d-2b876a7 624->628 625->626 626->615 630 2b876c2 627->630 631 2b876c6-2b876e0 call 2b87190 call 2b87b10 627->631 628->615 630->631 631->615
                                                                                                    APIs
                                                                                                    • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,02B88091), ref: 02B8760A
                                                                                                    • VirtualAlloc.KERNEL32 ref: 02B87665
                                                                                                    • VirtualAlloc.KERNEL32 ref: 02B87683
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Alloc$Query
                                                                                                    • String ID:
                                                                                                    • API String ID: 2084729679-0
                                                                                                    • Opcode ID: 8430162ff305b1d947364f56eb9dafaf825263f6da1272ecc562e24b1787b575
                                                                                                    • Instruction ID: 341f59deaf00994ebec2c1cf1ea66a9a3f32becf20414995144ccbab5ab6eeec
                                                                                                    • Opcode Fuzzy Hash: 8430162ff305b1d947364f56eb9dafaf825263f6da1272ecc562e24b1787b575
                                                                                                    • Instruction Fuzzy Hash: 5031B26A712A5580DE15FA169A142A9E256A744FFCF6407A19F3E0BFC8DF38C042D340
                                                                                                    Function 031E4720 Relevance: 4.6, APIs: 3, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseFreeHandleInformationLocalToken
                                                                                                    • String ID:
                                                                                                    • API String ID: 2549944469-0
                                                                                                    • Opcode ID: ea2ccfa6893f7af5e47f68e4ec2799f7b45d5ca3414c67504ea71733352d90c0
                                                                                                    • Instruction ID: 5f0a2fe4054f0c7730d4425628ef7fb36f17d8c8cf44a3efceaa75250854117c
                                                                                                    • Opcode Fuzzy Hash: ea2ccfa6893f7af5e47f68e4ec2799f7b45d5ca3414c67504ea71733352d90c0
                                                                                                    • Instruction Fuzzy Hash: D331B232200B858ECB10EF76D8547993BA6F78979CF1041AAEA6D87B58DF39D445CB80
                                                                                                    Function 02B874F0 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualFree.KERNEL32(?,?,?,?,040000017F000201,?,?,?,?,?,02B87D28), ref: 02B87531
                                                                                                    • VirtualQuery.KERNEL32(?,?,?,?,040000017F000201,?,?,?,?,?,02B87D28), ref: 02B8755D
                                                                                                    • VirtualFree.KERNEL32(?,?,?,?,040000017F000201,?,?,?,?,?,02B87D28), ref: 02B8756E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Free$Query
                                                                                                    • String ID:
                                                                                                    • API String ID: 778034434-0
                                                                                                    • Opcode ID: 436a495ff45ab2a28c21857efa55b81b5f4a949ac5f9d22368e17b90059f171d
                                                                                                    • Instruction ID: d33fad1be9a41d7110e7915889158ca46cf548ce90f3bbe646c2736074bf69ca
                                                                                                    • Opcode Fuzzy Hash: 436a495ff45ab2a28c21857efa55b81b5f4a949ac5f9d22368e17b90059f171d
                                                                                                    • Instruction Fuzzy Hash: 8411021A725A4086EB11BEAB88403969AC5F748BFCF7886B1DE6D037E1EE38C145D710
                                                                                                    Function 004079F0 Relevance: 3.9, APIs: 3, Instructions: 144sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(?,?,?,00407607), ref: 00407AAA
                                                                                                    • Sleep.KERNEL32(?,?,?,00407607), ref: 00407ACD
                                                                                                    • VirtualFree.KERNEL32(?,?,?,00407607), ref: 00407BBB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep$FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3067263416-0
                                                                                                    • Opcode ID: 7b9fa0f645d9edba172600cece769d7e99bb8b5c4fc8902efe7c03bfa923d13c
                                                                                                    • Instruction ID: 4edf4302abb0e9e688d7ec643564e50d94164285a2857d5ca578e4f475135755
                                                                                                    • Opcode Fuzzy Hash: 7b9fa0f645d9edba172600cece769d7e99bb8b5c4fc8902efe7c03bfa923d13c
                                                                                                    • Instruction Fuzzy Hash: 3D51CF22B18B8084DF05CB25E85036E37A4B709BA8F58C23ACA99573D5DF3CE991C346
                                                                                                    Function 02BB2FF0 Relevance: 3.8, APIs: 3, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1452528299-0
                                                                                                    • Opcode ID: 73f34c16a433aeaea0edc7daa9f772bbb65067d6e95a15a177587a0b6cd1fe2f
                                                                                                    • Instruction ID: c19b53ead8344f95fc40ca80da8103094e6011dfbc561350247d411f673b429a
                                                                                                    • Opcode Fuzzy Hash: 73f34c16a433aeaea0edc7daa9f772bbb65067d6e95a15a177587a0b6cd1fe2f
                                                                                                    • Instruction Fuzzy Hash: 4A11C631A0850955EE3B693655143FA06C1CF457F8FDC0BE2DD26873D4DBE9C141C650
                                                                                                    Function 02CFBD50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • RegCreateKeyExW.ADVAPI32 ref: 02CFBDF0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateLibraryLoad
                                                                                                    • String ID: RegCreateKeyExW
                                                                                                    • API String ID: 1677436877-2684475081
                                                                                                    • Opcode ID: 6e0f9dde46e1b6ce62545b1d698993e4250c76d197aa2292f5927f1ec6b45889
                                                                                                    • Instruction ID: b953676e30cc8b1ec4a65e60f770354c043566a0e80d7a2da7c13497a488c50f
                                                                                                    • Opcode Fuzzy Hash: 6e0f9dde46e1b6ce62545b1d698993e4250c76d197aa2292f5927f1ec6b45889
                                                                                                    • Instruction Fuzzy Hash: 0211BD36610B849ECBA0DF65E8803D937A5F749798F508016EA8C8BB28DF34C655CB00
                                                                                                    Function 02CFC2D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • RegEnumValueW.ADVAPI32 ref: 02CFC35A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EnumLibraryLoadValue
                                                                                                    • String ID: RegEnumValueW
                                                                                                    • API String ID: 573324891-4254430394
                                                                                                    • Opcode ID: c5b33e315bdfc393463f959a65bc5dd889980465c21ee672edf234c131c341ae
                                                                                                    • Instruction ID: eb09eae096bd247e4d86891142ba0907270e6686ebd0154f03167d91e069bf22
                                                                                                    • Opcode Fuzzy Hash: c5b33e315bdfc393463f959a65bc5dd889980465c21ee672edf234c131c341ae
                                                                                                    • Instruction Fuzzy Hash: 9411CE36610B88DADB64DF75E8807C937A5F389B9CF204116EA8C87B28DF35C655CB80
                                                                                                    Function 02CFC1E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • RegEnumKeyExW.ADVAPI32 ref: 02CFC26A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EnumLibraryLoad
                                                                                                    • String ID: RegEnumKeyExW
                                                                                                    • API String ID: 773249166-194899230
                                                                                                    • Opcode ID: da3260c27f9a65f004e05cd051a034529028b0b21699aab49acd015f6231d2c7
                                                                                                    • Instruction ID: fd283d7d2c241016afbbadfd5bb975fbb72f29b380f5393361b2406135b6115a
                                                                                                    • Opcode Fuzzy Hash: da3260c27f9a65f004e05cd051a034529028b0b21699aab49acd015f6231d2c7
                                                                                                    • Instruction Fuzzy Hash: 3E110036610B88DADB60DF75E8803D937A5F389B9CF604116EA8C87B28DF30C655CB80
                                                                                                    Function 02CFCB60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • CreateFileW.KERNEL32 ref: 02CFCBDA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFileLibraryLoad
                                                                                                    • String ID: CreateFileW
                                                                                                    • API String ID: 2049390123-2716854569
                                                                                                    • Opcode ID: 6890b607c3f1c0bdf2c5d3a704d7762dbca3f675c2134282fbceb1cc63423e1c
                                                                                                    • Instruction ID: b21cd7be1bbed368aab8f1508650ecc3a04c26b552d9b38fd24685c78d9ff6d9
                                                                                                    • Opcode Fuzzy Hash: 6890b607c3f1c0bdf2c5d3a704d7762dbca3f675c2134282fbceb1cc63423e1c
                                                                                                    • Instruction Fuzzy Hash: A211E23A610B88DEDB50DF79E8807D937A5F38978CF604116EA4C87B28DB35D655CB80
                                                                                                    Function 02CFBE50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • RegSetValueExW.ADVAPI32 ref: 02CFBEBC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoadValue
                                                                                                    • String ID: RegSetValueExW
                                                                                                    • API String ID: 1812468627-3151568584
                                                                                                    • Opcode ID: 83d3ba49b84ca5ae98bc57e78f78c450b5336922611284fd864f18fdafdf4eaa
                                                                                                    • Instruction ID: b9641c2553ef4fb31b2abecaca612a8da1b6b1b01622d396e33726108e5755e2
                                                                                                    • Opcode Fuzzy Hash: 83d3ba49b84ca5ae98bc57e78f78c450b5336922611284fd864f18fdafdf4eaa
                                                                                                    • Instruction Fuzzy Hash: F8011076210B80DEDB40DF75E88078937A6F3597ACF106011FA4D83B28DB30D995CB80
                                                                                                    Function 02CFBFB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • RegQueryValueExW.ADVAPI32 ref: 02CFC01E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoadQueryValue
                                                                                                    • String ID: RegQueryValueExW
                                                                                                    • API String ID: 1928022227-1156389039
                                                                                                    • Opcode ID: 9bbd98086b6f1198fd55ab74573419a560af7f63db0a9a62762d9164d8da5431
                                                                                                    • Instruction ID: f6550c88f81a77a72a6cf7a752281852475ea22809392bbd274afcd575e78d76
                                                                                                    • Opcode Fuzzy Hash: 9bbd98086b6f1198fd55ab74573419a560af7f63db0a9a62762d9164d8da5431
                                                                                                    • Instruction Fuzzy Hash: 5801D036210B88DADB40DF65E8807D937A6F349BACF106056FA4D87B28DF70C596C780
                                                                                                    Function 02CFCCF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • WriteFile.KERNEL32 ref: 02CFCD55
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileLibraryLoadWrite
                                                                                                    • String ID: WriteFile
                                                                                                    • API String ID: 2534920666-3437843986
                                                                                                    • Opcode ID: 13d54fa118d81f434dd8860d35bce1c33656b30cf51f860873dfb2af839f10d2
                                                                                                    • Instruction ID: 2170c656371626660f3b5770f0e36a0cfe582e42ea4f3239fd0165c7d9ace166
                                                                                                    • Opcode Fuzzy Hash: 13d54fa118d81f434dd8860d35bce1c33656b30cf51f860873dfb2af839f10d2
                                                                                                    • Instruction Fuzzy Hash: 2801EE36210B88DADB80DF61E8807ED3766F34578CF406052FA4E47B28CB70D555CB80
                                                                                                    Function 02CFBC80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • RegOpenKeyExW.ADVAPI32 ref: 02CFBCE5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoadOpen
                                                                                                    • String ID: RegOpenKeyExW
                                                                                                    • API String ID: 1790881248-904843138
                                                                                                    • Opcode ID: 165248e623d60734d5039cb3df371116c129087cc46c5d33d89533731f9509f9
                                                                                                    • Instruction ID: 7e141654538e2b9eb6c20062b649a3a2b3979fc2d52dc29d43e387c083e2f307
                                                                                                    • Opcode Fuzzy Hash: 165248e623d60734d5039cb3df371116c129087cc46c5d33d89533731f9509f9
                                                                                                    • Instruction Fuzzy Hash: 5D014032210B80DACB80EF61E8807C93766F74979CF106011FA4E83B28DF30D996CB80
                                                                                                    Function 02CFCC30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • ReadFile.KERNEL32 ref: 02CFCC95
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileLibraryLoadRead
                                                                                                    • String ID: ReadFile
                                                                                                    • API String ID: 834403811-157025232
                                                                                                    • Opcode ID: bb9fd21a8babc9eef6b499fe0dd78e0edb73a3152d29d9e6312d119afa723cfa
                                                                                                    • Instruction ID: 9d2c285d275f27037d1aebefea361f95e6809b411ad145a2d1f8c36914812aa4
                                                                                                    • Opcode Fuzzy Hash: bb9fd21a8babc9eef6b499fe0dd78e0edb73a3152d29d9e6312d119afa723cfa
                                                                                                    • Instruction Fuzzy Hash: C601EE36210B88EADB40DF61E8807D93766F34579CF506056FA4E87B28CB34D595CB80
                                                                                                    Function 02CFD0F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • SetFileAttributesW.KERNEL32 ref: 02CFD13A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFileLibraryLoad
                                                                                                    • String ID: SetFileAttributesW
                                                                                                    • API String ID: 2335741568-3787399763
                                                                                                    • Opcode ID: 21647ee0cdb2561e57736c2f1c48065085e0ca71969d8d1715481068e6c77f08
                                                                                                    • Instruction ID: 99ccfa4e9bd9d5ff6d1eb3a6ee9b3b87f124295e06a03887a61bb3ae6d2b5644
                                                                                                    • Opcode Fuzzy Hash: 21647ee0cdb2561e57736c2f1c48065085e0ca71969d8d1715481068e6c77f08
                                                                                                    • Instruction Fuzzy Hash: 21F01736210A44EADB11EF34DC503E97325F79938CF959212EA4E87B28CB35C506CB80
                                                                                                    Function 02CFD050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • GetFileAttributesW.KERNEL32 ref: 02CFD094
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFileLibraryLoad
                                                                                                    • String ID: GetFileAttributesW
                                                                                                    • API String ID: 2335741568-3300174157
                                                                                                    • Opcode ID: 8696d034ac28f50e7340dbcdb0245a8039185d69ee031d36c620cf63aba654ac
                                                                                                    • Instruction ID: 06d1d07e0d65afa5b29c4c28ce1be61c0106d5249a30d5107cb70da2f8c64712
                                                                                                    • Opcode Fuzzy Hash: 8696d034ac28f50e7340dbcdb0245a8039185d69ee031d36c620cf63aba654ac
                                                                                                    • Instruction Fuzzy Hash: 76F0D436210A45EADB51EF30DC513E93325F39974CF955112FA4E87A28DF35C506CB40
                                                                                                    Function 02CFD1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • DeleteFileW.KERNEL32 ref: 02CFD1E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFileLibraryLoad
                                                                                                    • String ID: DeleteFileW
                                                                                                    • API String ID: 3349804830-1699733146
                                                                                                    • Opcode ID: dc721cc040078e4da31f0e90f6743e009ee36ce2d001d5cf7ed3c8c6b90487bf
                                                                                                    • Instruction ID: 0890cd76b59a0c31359623ca9748e2d64390281d50abe073ff2287232b68c629
                                                                                                    • Opcode Fuzzy Hash: dc721cc040078e4da31f0e90f6743e009ee36ce2d001d5cf7ed3c8c6b90487bf
                                                                                                    • Instruction Fuzzy Hash: 27F0D436210A45EADB51EF30DC513E97365F39974CF955212EA4E87A28DB35CA06CB40
                                                                                                    Function 02CFBF20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • RegCloseKey.ADVAPI32 ref: 02CFBF64
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseLibraryLoad
                                                                                                    • String ID: RegCloseKey
                                                                                                    • API String ID: 3617174416-2838036789
                                                                                                    • Opcode ID: 742da04745f123c111a5d5a2e2bea9636604f0ce4024b1cb91f06f138f32d8dd
                                                                                                    • Instruction ID: b91085fd8409d48ef86c270df1a173eedc6f6bbb34158946fb5c68d808ffd019
                                                                                                    • Opcode Fuzzy Hash: 742da04745f123c111a5d5a2e2bea9636604f0ce4024b1cb91f06f138f32d8dd
                                                                                                    • Instruction Fuzzy Hash: 36F0F836210A45EADB51EF34DC503E93375F799B4CF925122EA4D8BA28DF35C90ACB40
                                                                                                    Function 02CFCAC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02CFD4D0: LoadLibraryW.KERNEL32 ref: 02CFD5DF
                                                                                                    • GetNativeSystemInfo.KERNEL32 ref: 02CFCB04
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: InfoLibraryLoadNativeSystem
                                                                                                    • String ID: GetNativeSystemInfo
                                                                                                    • API String ID: 3150334540-3949249589
                                                                                                    • Opcode ID: e36becd64ba2bb448b154f69660bdfe63567d1f5627409c1adc364d37fbd05aa
                                                                                                    • Instruction ID: d01dc0273c8ecfabb588719067fccf2191ac7f9d8d41e3cdbc8867224ee33f37
                                                                                                    • Opcode Fuzzy Hash: e36becd64ba2bb448b154f69660bdfe63567d1f5627409c1adc364d37fbd05aa
                                                                                                    • Instruction Fuzzy Hash: E3F03936210A44E9DF61EF20DC513E97325F39579CF996012EA0E47A28DF34C69ACB40
                                                                                                    Function 031DD140 Relevance: 3.1, APIs: 2, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetShortPathNameW.KERNEL32 ref: 031DD1D0
                                                                                                    • GetShortPathNameW.KERNEL32 ref: 031DD22C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: NamePathShort
                                                                                                    • String ID:
                                                                                                    • API String ID: 1295925010-0
                                                                                                    • Opcode ID: ed45fb40eb2c3d1d0d2341ac81575d4d95ddb42706351a833cb0d691d0d39262
                                                                                                    • Instruction ID: 0e5d3116055d6cdbd2b91a3cf44eb92cc88056d1a4b6443cafde49c38b960c7b
                                                                                                    • Opcode Fuzzy Hash: ed45fb40eb2c3d1d0d2341ac81575d4d95ddb42706351a833cb0d691d0d39262
                                                                                                    • Instruction Fuzzy Hash: 15418676611A44CEDB14DF3AC89479D37A1F788B88F649166EA0D87B68CF35C841CB80
                                                                                                    Function 031E2F90 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1263568516-0
                                                                                                    • Opcode ID: 0c1309f5805211eaf0432ec8640311ca3aa062ba3e12053e81cd71d47e76f3f3
                                                                                                    • Instruction ID: d43dca2f9d030ba6d87edd0cb88797e2680b7353d8da40b6c86e6f712e606cda
                                                                                                    • Opcode Fuzzy Hash: 0c1309f5805211eaf0432ec8640311ca3aa062ba3e12053e81cd71d47e76f3f3
                                                                                                    • Instruction Fuzzy Hash: 6041D63B204B84CEDB29CF2AC08079D7F65E788B9CF1A0546EA4D43B29CB36D994C750
                                                                                                    Function 02BBAFE0 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FormatFreeLocalMessage
                                                                                                    • String ID:
                                                                                                    • API String ID: 1427518018-0
                                                                                                    • Opcode ID: 3acc6f34f76246c61ef87c57bc18cba4548e6e6f681cee188c2e9ebcc4cd377b
                                                                                                    • Instruction ID: a9f4ce8de520c5f556e18260743b051310c78dfac0f4bfa6db67a68b19bddaa3
                                                                                                    • Opcode Fuzzy Hash: 3acc6f34f76246c61ef87c57bc18cba4548e6e6f681cee188c2e9ebcc4cd377b
                                                                                                    • Instruction Fuzzy Hash: B2111636504B80CED724DFB9D8543E93BA6F744B9CF804119EA4947B68CF78C589CB40
                                                                                                    Function 00417A40 Relevance: 3.0, APIs: 2, Instructions: 41threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetThreadLocale.KERNEL32 ref: 00417A72
                                                                                                      • Part of subcall function 004128B0: RtlInitializeCriticalSection.NTDLL ref: 004128BB
                                                                                                      • Part of subcall function 004128B0: GetVersion.KERNEL32(?,?,?,?,00417A77), ref: 004128C9
                                                                                                      • Part of subcall function 004128B0: GetModuleHandleW.KERNEL32(?,?,?,?,00417A77), ref: 004128F0
                                                                                                      • Part of subcall function 004128B0: GetProcAddress.KERNEL32(?,?,?,?,00417A77), ref: 004128FF
                                                                                                      • Part of subcall function 004128B0: GetModuleHandleW.KERNEL32(?,?,?,?,00417A77), ref: 00412912
                                                                                                      • Part of subcall function 004128B0: GetProcAddress.KERNEL32(?,?,?,?,00417A77), ref: 00412921
                                                                                                      • Part of subcall function 004128B0: GetModuleHandleW.KERNEL32(?,?,?,?,00417A77), ref: 00412934
                                                                                                      • Part of subcall function 004128B0: GetProcAddress.KERNEL32(?,?,?,?,00417A77), ref: 00412943
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00417B0B
                                                                                                      • Part of subcall function 004163F0: GetVersion.KERNEL32 ref: 004163F4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc$ThreadVersion$CriticalCurrentInitializeLocaleSection
                                                                                                    • String ID:
                                                                                                    • API String ID: 129254435-0
                                                                                                    • Opcode ID: edbacc8468d0899494a2ab39c513a62618644f10cc4812c8eb309031fb007677
                                                                                                    • Instruction ID: 1eef1a6b76c6c64d30ed50411bd2095eb9b3d004698295abf50b21d1633ad7f7
                                                                                                    • Opcode Fuzzy Hash: edbacc8468d0899494a2ab39c513a62618644f10cc4812c8eb309031fb007677
                                                                                                    • Instruction Fuzzy Hash: A4113D74515B5089FB00BB71B86934636A4BB05348F91822ED5895A3A2EF3C5095879A
                                                                                                    Function 02B9E130 Relevance: 3.0, APIs: 2, Instructions: 38libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,031F621F), ref: 02B9E162
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,031F621F), ref: 02B9E18E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 190572456-0
                                                                                                    • Opcode ID: 6e9d0311305b7d0218744d80a9626b4b9cdd8931e8df7ca3c7ee78094ee698b4
                                                                                                    • Instruction ID: 066dcfb2a0c4f9eb9b4b09af5f9206d89fb2271cd8af1153c21b3e69d847f93a
                                                                                                    • Opcode Fuzzy Hash: 6e9d0311305b7d0218744d80a9626b4b9cdd8931e8df7ca3c7ee78094ee698b4
                                                                                                    • Instruction Fuzzy Hash: A201C472211A909ACF44EFB5D8902AD37A6F7957D8B402466FA4E47B18DF30C495C780
                                                                                                    Function 00407620 Relevance: 2.7, APIs: 2, Instructions: 243sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(?,?,?,?,004075DC), ref: 0040771C
                                                                                                    • Sleep.KERNEL32(?,?,?,?,004075DC), ref: 00407735
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3472027048-0
                                                                                                    • Opcode ID: f1fa96ab9de75d50fb263d093e3c46da9d6818794d8965b1ae7856228ef74494
                                                                                                    • Instruction ID: 7d2021a841e2f3a1c383f190689d5a4a8400f9b339e92388589f0e9eb7b6520a
                                                                                                    • Opcode Fuzzy Hash: f1fa96ab9de75d50fb263d093e3c46da9d6818794d8965b1ae7856228ef74494
                                                                                                    • Instruction Fuzzy Hash: 1EB11473A09B8086EB058F29E85436973A1F344764F58C23BC69A5B3D4DF7CE895C346
                                                                                                    Function 031E2D60 Relevance: 2.6, APIs: 2, Instructions: 109memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32 ref: 031E2E17
                                                                                                    • VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,031E3E72), ref: 031E2E8B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 8bf6fd11e222c2805037eba809720d9082972d9af98478d3a6e4cd0158e5a094
                                                                                                    • Instruction ID: a36ede7a3feeca2b37496f32df0654eafcd4814cd298172c8782618bcb531fe3
                                                                                                    • Opcode Fuzzy Hash: 8bf6fd11e222c2805037eba809720d9082972d9af98478d3a6e4cd0158e5a094
                                                                                                    • Instruction Fuzzy Hash: 8F51D036201F88CECB14DF79D4907A83BA5F788BACF24455AEA4E47B28DB75D096C740
                                                                                                    Function 02E0D3F0 Relevance: 1.6, APIs: 1, Instructions: 124threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32 ref: 02E0D562
                                                                                                      • Part of subcall function 02B8F980: SysFreeString.OLEAUT32 ref: 02B8F9A3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeLocaleStringThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 3420510782-0
                                                                                                    • Opcode ID: 7e52cc1c65586674fcbdc7249bc6ab3f31bb991b778d96cd0e850a454fa11641
                                                                                                    • Instruction ID: 78f07bc83a0909b7b5d06765a854bfc865ca99219b13b75f23e70fdecc416fc5
                                                                                                    • Opcode Fuzzy Hash: 7e52cc1c65586674fcbdc7249bc6ab3f31bb991b778d96cd0e850a454fa11641
                                                                                                    • Instruction Fuzzy Hash: 1A51D232201B809EDB60EF79D8903ED37A6F744798F50516AEA4D8BB68DF34D985CB40
                                                                                                    Function 00413C60 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemDefaultUILanguage.KERNEL32 ref: 00413DC7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DefaultLanguageSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 4166810957-0
                                                                                                    • Opcode ID: 906425979d6c923ea18f641daae6b9bad136ce29d3c42585792ee4196cd98578
                                                                                                    • Instruction ID: 69b0656239e2e26b464a0f81f24744626f5ca75f9b8d03ec8101c9f45b3a8aa4
                                                                                                    • Opcode Fuzzy Hash: 906425979d6c923ea18f641daae6b9bad136ce29d3c42585792ee4196cd98578
                                                                                                    • Instruction Fuzzy Hash: 2051E936200B8089DB20EF36D8953DD2762F744B9CF50542BEA4E8BB59DF79CA85C384
                                                                                                    Function 02D01160 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ClearVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 1473721057-0
                                                                                                    • Opcode ID: 6ae5e8dfd89d9c1d2d86449a55ef40a73659a4fc37f647782ef05d6823391317
                                                                                                    • Instruction ID: 0251fe119c54e98bb47c6e9d9a11a76a64ac0060f2acad537652632cb7d3e6f5
                                                                                                    • Opcode Fuzzy Hash: 6ae5e8dfd89d9c1d2d86449a55ef40a73659a4fc37f647782ef05d6823391317
                                                                                                    • Instruction Fuzzy Hash: 3311701275060194DB14BF32D8D13BC1362E749B98FC892219E8F4B3A8DF28CC87CB92
                                                                                                    Function 02B8F6E0 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2422867632-0
                                                                                                    • Opcode ID: 7d953916fd9e03f367818d089ffe756408cd6ec3c749ecc3c4f70d8d2d04cc38
                                                                                                    • Instruction ID: fdb92610ab06bcc7df4491f361d3c65d14ba0de58025d73ec241ad8a5f236e97
                                                                                                    • Opcode Fuzzy Hash: 7d953916fd9e03f367818d089ffe756408cd6ec3c749ecc3c4f70d8d2d04cc38
                                                                                                    • Instruction Fuzzy Hash: E401DF363057C491EA11AB16BD447AA7799E788BD8F044065DE8E07B14DF3CC185C700
                                                                                                    Function 02E09CE0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FindWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 134000473-0
                                                                                                    • Opcode ID: d17f35ad9851e621ac180882188a0c4cdc4b591bc7616a67bb865ab6014310bf
                                                                                                    • Instruction ID: fc27cf58bf91e948ef992f5ed29fb34af38123b7f09a88968069eec92660a35f
                                                                                                    • Opcode Fuzzy Hash: d17f35ad9851e621ac180882188a0c4cdc4b591bc7616a67bb865ab6014310bf
                                                                                                    • Instruction Fuzzy Hash: ADD06732200989DCCF72FF31D8427D82779E75879CF895162974C4AA59EE20C6AAC780
                                                                                                    Function 004073D0 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1263568516-0
                                                                                                    • Opcode ID: 87ffc5b75e56ea7575c4c67dd6474f3502977a7aa9fbbb1a8abde808aa3d620d
                                                                                                    • Instruction ID: 3ee897b75ea2ba116609da9ae97e401dfdfee4b8fba0fde360b6af2665264ed7
                                                                                                    • Opcode Fuzzy Hash: 87ffc5b75e56ea7575c4c67dd6474f3502977a7aa9fbbb1a8abde808aa3d620d
                                                                                                    • Instruction Fuzzy Hash: D5110612B19B5444DF119FBB98803561E41B748BF8F148237AE6E237D1DE3CE0468707
                                                                                                    Function 00407340 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 1c81b13b98d5c667e1aa5805305efa096a6ddae117663545c45e22096a2b4578
                                                                                                    • Instruction ID: 9c610124a9f7aa774a307e6432216b6c5ca0ec98510e6ff919e0e2075c0600a8
                                                                                                    • Opcode Fuzzy Hash: 1c81b13b98d5c667e1aa5805305efa096a6ddae117663545c45e22096a2b4578
                                                                                                    • Instruction Fuzzy Hash: A3F0C831701BA990F6469B16FD54B4A3A5DB714BE4F008236EE981B7C8CF3884928344
                                                                                                    Function 02B87370 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(?,?,?,02B87A55), ref: 02B87392
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 9e1af0f790ef712079cbdb284c7954d86a3d79a2a4f07856e3a14df5e19600ab
                                                                                                    • Instruction ID: 8024483114b5357a8420caea8012dc94167e12100c09d9a73653a25e9507b830
                                                                                                    • Opcode Fuzzy Hash: 9e1af0f790ef712079cbdb284c7954d86a3d79a2a4f07856e3a14df5e19600ab
                                                                                                    • Instruction Fuzzy Hash: C50181B6701B4082DB169FA9EEA0355B3D8F71C784F244179DE4C87714DF3885A6C340

                                                                                                    Non-executed Functions

                                                                                                    Function 631D3E50 Relevance: 94.1, APIs: 52, Strings: 1, Instructions: 1381COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$isspace$localeconv
                                                                                                    • String ID: d
                                                                                                    • API String ID: 3109050730-2564639436
                                                                                                    • Opcode ID: dd29203c7c2a76291861071b9af88284830e7c753182479dd184fd705b44401a
                                                                                                    • Instruction ID: 6cf5caff77d72275b851c7e310a0caefad26b6b561c80015cec43541f277f3ee
                                                                                                    • Opcode Fuzzy Hash: dd29203c7c2a76291861071b9af88284830e7c753182479dd184fd705b44401a
                                                                                                    • Instruction Fuzzy Hash: 39C28D32208B8483DB208F15E48039EB7A5F79AFD4F498626EF9947B58DF79D585CB00
                                                                                                    Function 031F2B80 Relevance: 37.2, APIs: 5, Strings: 15, Instructions: 2226synchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02E09D20: GetCurrentProcessId.KERNEL32 ref: 02E09D3D
                                                                                                      • Part of subcall function 02E09D20: GetCurrentThreadId.KERNEL32 ref: 02E09D48
                                                                                                      • Part of subcall function 02E09D20: PostMessageW.USER32 ref: 02E09E21
                                                                                                      • Part of subcall function 02E09D20: PostMessageW.USER32 ref: 02E09E4B
                                                                                                      • Part of subcall function 02E09E80: GetCurrentProcessId.KERNEL32 ref: 02E09EA6
                                                                                                      • Part of subcall function 02E09E80: GetCurrentThreadId.KERNEL32 ref: 02E09EB1
                                                                                                      • Part of subcall function 02E09E80: PostMessageW.USER32 ref: 02E09F8A
                                                                                                      • Part of subcall function 02E09E80: PostMessageW.USER32 ref: 02E09FB4
                                                                                                    • WaitForSingleObject.KERNEL32 ref: 031F5AE1
                                                                                                    • ResetEvent.KERNEL32 ref: 031F5AED
                                                                                                    • CloseHandle.KERNEL32 ref: 031F5AF9
                                                                                                    • CloseHandle.KERNEL32 ref: 031F5B05
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CurrentMessagePost$CloseHandleProcessThread$EventObjectResetSingleWait
                                                                                                    • String ID: %BOT_ID%$%BOT_VERSION%$%BUILD_ID%$%COMP_ID%$%PROGRAMDATA%$%SELF%$%TEMP%$%WINDOWS%$%bot_id%$%bot_version%$%build_id%$%comp_id%$rundll32.exe$taskmgr.exe$taskmgr.exe|1|1|0|0|
                                                                                                    • API String ID: 364302597-897403374
                                                                                                    • Opcode ID: 2373129baa49f01bd6dc76ee6d1c71629304a231f64ed357f143d827c82bdd77
                                                                                                    • Instruction ID: d0dab51d7132c416acf668436fdc39b9b96b08d7688e0b20a1d643f6f9e03672
                                                                                                    • Opcode Fuzzy Hash: 2373129baa49f01bd6dc76ee6d1c71629304a231f64ed357f143d827c82bdd77
                                                                                                    • Instruction Fuzzy Hash: 42431376210AC599DB30EF36D8943DD23A6F789B88F809126CA0D4BB68DF75C789C750
                                                                                                    Function 63086040 Relevance: 33.5, APIs: 22, Instructions: 533fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$_errnocalloc$FileFindNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 2134193063-0
                                                                                                    • Opcode ID: a43b9ea017a010df42fa5fbe9e90f7dce141f8ad3be7ed4db147e44e7088024b
                                                                                                    • Instruction ID: 0b15217fc745b18395cbdb265564acecf1ffa5888b4e57940db715d9545c0bc3
                                                                                                    • Opcode Fuzzy Hash: a43b9ea017a010df42fa5fbe9e90f7dce141f8ad3be7ed4db147e44e7088024b
                                                                                                    • Instruction Fuzzy Hash: 5E325963A25BD585DB028B39C1147EEABA5EB92F80F4BD721DF9427755FB348298C300
                                                                                                    Function 630820A0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 276fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ByteCharHandleMultiTypeWideWrite_vsnprintf
                                                                                                    • String ID: OpenSSL$OpenSSL: FATAL
                                                                                                    • API String ID: 1133627413-4224901669
                                                                                                    • Opcode ID: a27f789fff78bff9ba13b86a6ec00c09cfaf7a69d93f01e0cede0d09d81edee0
                                                                                                    • Instruction ID: e46552628dbb0aa72ac99e09dc4fffe0e2d8db09d8b712e6bcd468fb046d1253
                                                                                                    • Opcode Fuzzy Hash: a27f789fff78bff9ba13b86a6ec00c09cfaf7a69d93f01e0cede0d09d81edee0
                                                                                                    • Instruction Fuzzy Hash: 0BB112B2A1478191DF218B20E5647CE7BFAF749F95F889612EE5A07754EB38C268C304
                                                                                                    Function 004128B0 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 31libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlInitializeCriticalSection.NTDLL ref: 004128BB
                                                                                                    • GetVersion.KERNEL32(?,?,?,?,00417A77), ref: 004128C9
                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,00417A77), ref: 004128F0
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,?,00417A77), ref: 004128FF
                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,00417A77), ref: 00412912
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,?,00417A77), ref: 00412921
                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,00417A77), ref: 00412934
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,?,00417A77), ref: 00412943
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
                                                                                                    • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
                                                                                                    • API String ID: 74573329-1403180336
                                                                                                    • Opcode ID: ceb6f5e2e32dc26e77cfa936d04dbdbcae3d2174ef50f7c3e8f670439e772a78
                                                                                                    • Instruction ID: 5d9183c95eaaf57302d6feeab72220e2e8876bcf6bc60a4f916eab13eb1ea8fe
                                                                                                    • Opcode Fuzzy Hash: ceb6f5e2e32dc26e77cfa936d04dbdbcae3d2174ef50f7c3e8f670439e772a78
                                                                                                    • Instruction Fuzzy Hash: 3B0136B1316E4290F645EB15ED423E93350FB50344F95413B919A9A2B1EFBCC6F5C348
                                                                                                    Function 031E5F80 Relevance: 14.0, APIs: 4, Strings: 3, Instructions: 1711COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 031E680A
                                                                                                      • Part of subcall function 031E4720: GetTokenInformation.ADVAPI32 ref: 031E47F5
                                                                                                      • Part of subcall function 031E4720: LocalFree.KERNEL32 ref: 031E4845
                                                                                                      • Part of subcall function 031E4720: CloseHandle.KERNEL32 ref: 031E484E
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 031E6D3A
                                                                                                    • ProcessIdToSessionId.KERNEL32 ref: 031E6D71
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 031E6D91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Process$Current$CloseCriticalFreeHandleInformationInitializeLocalSectionSessionToken
                                                                                                    • String ID: .dll$.exe$.tmp
                                                                                                    • API String ID: 1385382374-3668598867
                                                                                                    • Opcode ID: 8a67d36ee169e094ad1f5b16df5f7a774d12a91df3d9fd5c34a9ee1e2fab0b35
                                                                                                    • Instruction ID: 27d2855ea7c6c675584f6987145a9a7fdc6977f5633c745b613ded49ad78a24b
                                                                                                    • Opcode Fuzzy Hash: 8a67d36ee169e094ad1f5b16df5f7a774d12a91df3d9fd5c34a9ee1e2fab0b35
                                                                                                    • Instruction Fuzzy Hash: 0923D676220AC099EB71EF24DCA43DE336AF798788F805066CA4D4BA68DF75C749C750
                                                                                                    Function 03194830 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Connection Name$DHCP Enabled$DHCP Server$IP address$MAC Address$Name$Network Card [$Status
                                                                                                    • API String ID: 0-1400835594
                                                                                                    • Opcode ID: 83a2851c5c6c5e7119c3f6d5e0fa98542820b583b338436cb936826212b8dca3
                                                                                                    • Instruction ID: 2e9ddb7f83f4b45ed8c8e0046fb1181eb9d383458c3e6e69541ed7a833fe9e56
                                                                                                    • Opcode Fuzzy Hash: 83a2851c5c6c5e7119c3f6d5e0fa98542820b583b338436cb936826212b8dca3
                                                                                                    • Instruction Fuzzy Hash: 4712B076210BC199DB71EF25D8A43DA3366FB4978CF809012CA4D5BB68DF74C649C790
                                                                                                    Function 03137C90 Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 1015COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: PT0S$Schedule.Service$schedule
                                                                                                    • API String ID: 0-143049435
                                                                                                    • Opcode ID: bedca623b6c3a011f721329cb6bc5aea443a987d7aea80c848b19e8e4d0a0790
                                                                                                    • Instruction ID: 529df38d2899fbf38ba6d01d20c54c5a96d9e2daed4057be98652b1cf3dff58a
                                                                                                    • Opcode Fuzzy Hash: bedca623b6c3a011f721329cb6bc5aea443a987d7aea80c848b19e8e4d0a0790
                                                                                                    • Instruction Fuzzy Hash: D6A2F372611AC6E8DBB1EF38DC907D92366E78838CF805022D60D9B9A8DFB5C749C750
                                                                                                    Function 031F1EC0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitialize.OLE32 ref: 031F1F2C
                                                                                                      • Part of subcall function 031F1E00: CLSIDFromProgID.OLE32(?,?,?,?,?,031F1F3D), ref: 031F1E40
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FromInitializeProg
                                                                                                    • String ID: HNetCfg.FWRule$HNetCfg.FwPolicy2
                                                                                                    • API String ID: 589548019-2701286346
                                                                                                    • Opcode ID: a654311c987e6588d305ad17d665ee1ad2536af30eb51226016d5a5dc1458ef8
                                                                                                    • Instruction ID: 58b2ae0e884a498043231181774dfeef9974922c3d615414599e9ab9c6917179
                                                                                                    • Opcode Fuzzy Hash: a654311c987e6588d305ad17d665ee1ad2536af30eb51226016d5a5dc1458ef8
                                                                                                    • Instruction Fuzzy Hash: BB513B76210A85EADB69EF74E8517D83326F70839CF805427E60E57AA8DFB4C60AC750
                                                                                                    Function 00412BF0 Relevance: 4.6, APIs: 3, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$Info$Valid
                                                                                                    • String ID:
                                                                                                    • API String ID: 1826331170-0
                                                                                                    • Opcode ID: d737d512fb39190a081d0c73d778f31a9607ea45d6563f7cca567f696ff40dbd
                                                                                                    • Instruction ID: 90152097ecd928ad3dc2e1ce2b32023356d02f2b50145f662264f1bc8d93d74e
                                                                                                    • Opcode Fuzzy Hash: d737d512fb39190a081d0c73d778f31a9607ea45d6563f7cca567f696ff40dbd
                                                                                                    • Instruction Fuzzy Hash: 9A419E72300A8489DB10DFB1D8507ED2762F745799F90802BEA4D93B98EF7CC5A6C399
                                                                                                    Function 02B94EF0 Relevance: 4.6, APIs: 3, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Locale$Info$Valid
                                                                                                    • String ID:
                                                                                                    • API String ID: 1826331170-0
                                                                                                    • Opcode ID: 0f1fc10582bf6bacc4fe7d2767c906cdd7de89412f36783f1c4ac4c1e6655e69
                                                                                                    • Instruction ID: d1e98c51038c9a481ba25b986d674aed1c1a523192dcbf43f26689a5df984846
                                                                                                    • Opcode Fuzzy Hash: 0f1fc10582bf6bacc4fe7d2767c906cdd7de89412f36783f1c4ac4c1e6655e69
                                                                                                    • Instruction Fuzzy Hash: 6241C872210A8589EF14DFB1D8507ED3777F744798F80406AEA5C43B98EB38C69AC7A1
                                                                                                    Function 02B95E40 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserDefaultUILanguage.KERNEL32 ref: 02B95E6E
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 02B95E87
                                                                                                      • Part of subcall function 02B95C90: FindFirstFileW.KERNEL32 ref: 02B95CC2
                                                                                                      • Part of subcall function 02B95C90: FindClose.KERNEL32 ref: 02B95CDD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 3216391948-0
                                                                                                    • Opcode ID: aa1817d2f482635c3c3e45d97b32d33139888ddf5df83c4ad6c27f4a2aa3d5b3
                                                                                                    • Instruction ID: 919fa0a6b51081351261f821b228d05798f9174b35c647c6817ed20bb6ab66f9
                                                                                                    • Opcode Fuzzy Hash: aa1817d2f482635c3c3e45d97b32d33139888ddf5df83c4ad6c27f4a2aa3d5b3
                                                                                                    • Instruction Fuzzy Hash: 5921E776220A4189CB20EF3AC8903ED27A6F788BDCF946156EB4D47B68DF34C045CB90
                                                                                                    Function 63163D80 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: a_object.c$q
                                                                                                    • API String ID: 0-3072118919
                                                                                                    • Opcode ID: 365cdbc2581bc46115b566915dbd81f48768cf0613fa541a10d3000c4de28691
                                                                                                    • Instruction ID: 175ec3e2c9eb174466250b271093cb1b96baa45d13fd6ef27b78b3e95c8cbc51
                                                                                                    • Opcode Fuzzy Hash: 365cdbc2581bc46115b566915dbd81f48768cf0613fa541a10d3000c4de28691
                                                                                                    • Instruction Fuzzy Hash: B2B1463230878187D710CBA1E81071B7BB9F797F88F514926FA5507BA4EB3AC566CB01
                                                                                                    Function 6308AA70 Relevance: 2.5, Strings: 1, Instructions: 1274COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @
                                                                                                    • API String ID: 0-2766056989
                                                                                                    • Opcode ID: 3df06edc49ec994d54d1f86807c455bb7f83c49abd8cb64ac69e1857d2cd0f5a
                                                                                                    • Instruction ID: b3623aa82a3e879c2ac214cc0bae54a2aaa4543f955f65ff43eb51ec3dab3951
                                                                                                    • Opcode Fuzzy Hash: 3df06edc49ec994d54d1f86807c455bb7f83c49abd8cb64ac69e1857d2cd0f5a
                                                                                                    • Instruction Fuzzy Hash: 60A29E776382544B9359CE2AA451A4BB7A1F388B88F92B118FF4793F04D678EE05CF44
                                                                                                    Function 02BCC870 Relevance: 1.8, Strings: 1, Instructions: 519COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
                                                                                                    • API String ID: 0-2168803803
                                                                                                    • Opcode ID: 8aa291b745a7f95b06f49cad4408d511b7cbe00e10d5da526720d9a43262cd90
                                                                                                    • Instruction ID: 76daa0e03b125bcfc79d477f051c3a50123da2f83db374df23541189893a16d9
                                                                                                    • Opcode Fuzzy Hash: 8aa291b745a7f95b06f49cad4408d511b7cbe00e10d5da526720d9a43262cd90
                                                                                                    • Instruction Fuzzy Hash: 62424B36214BC489EB71DF30D8A43EA7766E759348F94406ACA8D4AF8ADF38C349D710
                                                                                                    Function 63087F40 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .%lu
                                                                                                    • API String ID: 0-3053986306
                                                                                                    • Opcode ID: 8b6e42785f95ec3b21eee924f6d34c6f504d378a388c99fcd7a6c888feb21e0f
                                                                                                    • Instruction ID: 285c669adace7c8a2c8e89909dc5aab1b25103f45ec6a52fa44215d345ece975
                                                                                                    • Opcode Fuzzy Hash: 8b6e42785f95ec3b21eee924f6d34c6f504d378a388c99fcd7a6c888feb21e0f
                                                                                                    • Instruction Fuzzy Hash: CF919B32B0A75146EF559B2A990032F2AD9BB82FCCF485525FE151B749EF39C84CC780
                                                                                                    Function 02BB8CF0 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LocalTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 481472006-0
                                                                                                    • Opcode ID: b65ee52cce3b9824f21a4a6597d6b009a3456001ba4c16fb9552b47a6ff13852
                                                                                                    • Instruction ID: 3b0cb73a6f812fa5a09636246c8c792e4cc02d39e792fbe0ef3089c04a321bc3
                                                                                                    • Opcode Fuzzy Hash: b65ee52cce3b9824f21a4a6597d6b009a3456001ba4c16fb9552b47a6ff13852
                                                                                                    • Instruction Fuzzy Hash: 98B09252A144D0C2CD20AB00981202A9721B794308FC00651EACC00674D61DCA26CE00
                                                                                                    Function 02BB4990 Relevance: .9, Instructions: 894COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 025348ed429764023317f9c43cd1ff92bda4535de700b58a7cbcc318de388c52
                                                                                                    • Instruction ID: a6d18add48271e85b67ad87b433db4f20b4beb271f48a5010b00858035ac7d0d
                                                                                                    • Opcode Fuzzy Hash: 025348ed429764023317f9c43cd1ff92bda4535de700b58a7cbcc318de388c52
                                                                                                    • Instruction Fuzzy Hash: C9822736610B848ECB31DF36D8607F933A2FB45B98F8041A6DA5E4BB98DBB5D540CB41
                                                                                                    Function 6308A050 Relevance: .6, Instructions: 646COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 385dd9e43da0ff42d3ab24fe099c0b32aa5684c59439925b4023d367bc661ba9
                                                                                                    • Instruction ID: 556305f78a9745c9d55cf1b84fa496a7d74a8fbbe3ac01a3f19340052f4f9b9b
                                                                                                    • Opcode Fuzzy Hash: 385dd9e43da0ff42d3ab24fe099c0b32aa5684c59439925b4023d367bc661ba9
                                                                                                    • Instruction Fuzzy Hash: F2323B770B46004BD31FCE2ED99158AB292F784AA2709F238FE57C7B54E67CEE158604
                                                                                                    Function 02D06720 Relevance: .6, Instructions: 615COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5154a535aa3b46ae11515ded863a65449ab9a41dea9a7c8131e4bd89206f7c24
                                                                                                    • Instruction ID: 1de5c39551407287671b15dee751e7dbe1873a9fec966fb626a5a5dbf584e8a9
                                                                                                    • Opcode Fuzzy Hash: 5154a535aa3b46ae11515ded863a65449ab9a41dea9a7c8131e4bd89206f7c24
                                                                                                    • Instruction Fuzzy Hash: BD52C876201BC499EB71EF35C8A43ED6365FB49B98F409452CE4E4BBA9DF20CA48C750
                                                                                                    Function 031E0270 Relevance: .5, Instructions: 470COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cc87fca2643234ed175006646bd58f2ae8605bd97ba1e783fe31bd3437487382
                                                                                                    • Instruction ID: 5b5258ff3742d498fd35462fa0f57bda189d3a86f7a10a78b44d810809dfc534
                                                                                                    • Opcode Fuzzy Hash: cc87fca2643234ed175006646bd58f2ae8605bd97ba1e783fe31bd3437487382
                                                                                                    • Instruction Fuzzy Hash: EA32E636210BC5C9DB25EF26D8903ED2365F789B88F44A022DE4E4BB69DF75C689C740
                                                                                                    Function 63089200 Relevance: .5, Instructions: 465COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0aef174cc001ca89d82a81b9692044e58d10b173b3151d9424545241a9d24a7a
                                                                                                    • Instruction ID: 669b078625ee72505a2d17e19959a3ce4e02d542779f9d7f345f016f9d40a36e
                                                                                                    • Opcode Fuzzy Hash: 0aef174cc001ca89d82a81b9692044e58d10b173b3151d9424545241a9d24a7a
                                                                                                    • Instruction Fuzzy Hash: FEF1F5B7B345604F9358CF2AD840A9ABAD1F7C8798B45A12DAE07E3F04E63DD9058F40
                                                                                                    Function 031371A0 Relevance: .1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c5c1316e230b49d72e6e25d7a4571310d5e2b8c1d809f25142e1da04155bb924
                                                                                                    • Instruction ID: f5c9534e6c332af3529791088e18b4657fc48e9c297665073276efbbac68d908
                                                                                                    • Opcode Fuzzy Hash: c5c1316e230b49d72e6e25d7a4571310d5e2b8c1d809f25142e1da04155bb924
                                                                                                    • Instruction Fuzzy Hash: 5D312B4BE6D7D54AF393D7340C791486F62A4D7C2178D809BCF808BE93D66D2869D311
                                                                                                    Function 031AFD70 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 968542dd4dd3ee76c6b8bf544826b9695e770083f8a07c78e90d2de41fe944e0
                                                                                                    • Instruction ID: 77ebd270aeef67dad164607b32c69411a3531368c736306b6648353c9f54aab1
                                                                                                    • Opcode Fuzzy Hash: 968542dd4dd3ee76c6b8bf544826b9695e770083f8a07c78e90d2de41fe944e0
                                                                                                    • Instruction Fuzzy Hash: 6C51A576215BC499DB70EF76D8A43DE2375EB89B98F8050229E0D4BB29DE24C785C340
                                                                                                    Function 02E024F0 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cc0fef8378838a4bbe58128c046142e9e9e7c01c62b86e0a92cef8d2e5335e16
                                                                                                    • Instruction ID: bcc24943e4996e0bd48205bf30af188874051b7662fe5fcc338e311a4410c689
                                                                                                    • Opcode Fuzzy Hash: cc0fef8378838a4bbe58128c046142e9e9e7c01c62b86e0a92cef8d2e5335e16
                                                                                                    • Instruction Fuzzy Hash: 2DC002F75096849F978ACF5AB9509687BE4A688BA4F54C13AAE0893310E27444848B12
                                                                                                    Function 031D6FA0 Relevance: .0, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 64ebeed77ea8b2fff5c547b73f5e01dacbb62af16e0d6ca66a9d58669b98e3a1
                                                                                                    • Instruction ID: ab767ec40bb64fe3dd2105e53a6906383109e5849fca3717caa86ecb3e8befc5
                                                                                                    • Opcode Fuzzy Hash: 64ebeed77ea8b2fff5c547b73f5e01dacbb62af16e0d6ca66a9d58669b98e3a1
                                                                                                    • Instruction Fuzzy Hash: 81D0C76BE7DAC985F152D7562C7C3442B435767C62F4C8049C64046D81955F2961C311
                                                                                                    Function 031D6FC0 Relevance: .0, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 838a94508584ccf532e5ed229d2506187aa561cb505c6ae5c5547e09cd247d6c
                                                                                                    • Instruction ID: 4f1ad3d34cbb3caac0976d63a7ab070b202cb1f2de1dde550cc46232a356ed77
                                                                                                    • Opcode Fuzzy Hash: 838a94508584ccf532e5ed229d2506187aa561cb505c6ae5c5547e09cd247d6c
                                                                                                    • Instruction Fuzzy Hash: 99C0126BE1C9C089F352E76458B43543F53E397822F8E404DC9404BD0391291965D302
                                                                                                    Function 02CFD4D0 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 146libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID: Iphlpapi.dll$PSAPI.dll$advapi32.dll$crypt32.dll$gdi32.dll$ntdll.dll$ole32.dll$shell32.dll$user32.dll$wininet.dll$ws2_32.dll$wtsapi32.dll
                                                                                                    • API String ID: 1029625771-1098239973
                                                                                                    • Opcode ID: 875733a7b63e6be7f66afe00cf79456be4f8564dbcc5cf0caf3512a77dd65e3e
                                                                                                    • Instruction ID: d2add70d2f1320ba5c35c2eb2e50c35e13516b9f6031c11c7855a5ec042de689
                                                                                                    • Opcode Fuzzy Hash: 875733a7b63e6be7f66afe00cf79456be4f8564dbcc5cf0caf3512a77dd65e3e
                                                                                                    • Instruction Fuzzy Hash: A1612831101F45EAEBD2DF25EC9436A33A9F745798FA04926EA4F86B28EF35C650C740
                                                                                                    Function 02B9FA50 Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 105libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,?,02B9FFF4,-00000001,?,?,02F84228), ref: 02B9FA69
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
                                                                                                    • API String ID: 1029625771-2267155864
                                                                                                    • Opcode ID: a8e5621057e6080d5bed818ac8316daee1075445f5b21cf0a191670dc76a750a
                                                                                                    • Instruction ID: a6ba9d7f45d35b48975b70f3c9428a5a5215686b5e113f34aefe5b20d789558a
                                                                                                    • Opcode Fuzzy Hash: a8e5621057e6080d5bed818ac8316daee1075445f5b21cf0a191670dc76a750a
                                                                                                    • Instruction Fuzzy Hash: E061D330221E45D5EF01EB16FC8436933E9E786795FA06562C44E87630EFB8E68ACB45
                                                                                                    Function 031E1D10 Relevance: 31.9, APIs: 1, Strings: 17, Instructions: 400registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8FAB0: SysAllocStringLen.OLEAUT32 ref: 02B8FAD4
                                                                                                      • Part of subcall function 02E4C270: IsTextUnicode.ADVAPI32 ref: 02E4C314
                                                                                                    • RegFlushKey.ADVAPI32 ref: 031E25A5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocFlushStringTextUnicode
                                                                                                    • String ID: LocalSystem$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService$SYSTEM\ControlSet001\services\$SYSTEM\ControlSet001\services\SENS\Description$SYSTEM\ControlSet001\services\SENS\DisplayName$SYSTEM\ControlSet001\services\SENS\Group$\Description$\DisplayName$\ErrorControl$\Group$\ImagePath$\ObjectName$\Parameters\ServiceDll$\Start$\Type$svchost.exe -k LocalService$system32\svchost.exe -k LocalService
                                                                                                    • API String ID: 2091690675-1158809106
                                                                                                    • Opcode ID: 5973973d0d13d870e8d7b644a38a4cac13209989004df5cfd211dec74525ae01
                                                                                                    • Instruction ID: a98e5f96e6012dac152a11bf1c70cc4a1d39dd56b8d8a05fee407bdaf4758f05
                                                                                                    • Opcode Fuzzy Hash: 5973973d0d13d870e8d7b644a38a4cac13209989004df5cfd211dec74525ae01
                                                                                                    • Instruction Fuzzy Hash: 31321036215AC098DB71EF34DC643EA276AF789388F804256DA9D0BB99DF39C349C750
                                                                                                    Function 63081F50 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
                                                                                                    • String ID: Service-0x$_OPENSSL_isservice
                                                                                                    • API String ID: 459917433-1672312481
                                                                                                    • Opcode ID: f6d4350b85e2decea7779591ba36a0cbd6e4b8161d4a9b722fc24b38aecbc417
                                                                                                    • Instruction ID: e293bd9d3d936b3639b35d7b4205faefb63a8fff46262d84c0e0f39b17e0fe10
                                                                                                    • Opcode Fuzzy Hash: f6d4350b85e2decea7779591ba36a0cbd6e4b8161d4a9b722fc24b38aecbc417
                                                                                                    • Instruction Fuzzy Hash: B031CF33B02A1186FA048B35AC1075A26E9AF48BB8F580321EC3D427D6EB39C656C340
                                                                                                    Function 63083230 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 270COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _localtime64memset
                                                                                                    • String ID: thread=%lu, file=%s, line=%d, info="$%5lu file=%s, line=%d, $[%02d:%02d:%02d] $number=%d, address=%08lX$thread=%lu,
                                                                                                    • API String ID: 2530411984-3316983000
                                                                                                    • Opcode ID: 9af541d432f7ac00070bcdc353201c26343a6405a14c544263367ba02fa2627c
                                                                                                    • Instruction ID: 87cfccbe43d979bf6817d1ccae3496837a69f0a70958f8b70ce0f6931145bb46
                                                                                                    • Opcode Fuzzy Hash: 9af541d432f7ac00070bcdc353201c26343a6405a14c544263367ba02fa2627c
                                                                                                    • Instruction Fuzzy Hash: 4CA103B6B0468086EF12CF25DC0475A3BA1F38AF98F888562DF6957B94DB3DC549C300
                                                                                                    Function 02B9AC00 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 248COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise
                                                                                                    • String ID: H
                                                                                                    • API String ID: 3997070919-2852464175
                                                                                                    • Opcode ID: 33e656a7343aa2031a843370dbed15e8595798f49050a7df52ede534746a0c4c
                                                                                                    • Instruction ID: 93e31cbdef873d275284fc886bcc1545e80eb0a264982b940b107281de451746
                                                                                                    • Opcode Fuzzy Hash: 33e656a7343aa2031a843370dbed15e8595798f49050a7df52ede534746a0c4c
                                                                                                    • Instruction Fuzzy Hash: 99D1B136218B8886DB71DB15F48439AB7A5F788B88F50426ADACD47B68DF7CC584CF40
                                                                                                    Function 631D2FF0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • Mingw-w64 runtime failure:, xrefs: 631D3028
                                                                                                    • VirtualQuery failed for %d bytes at address %p, xrefs: 631D31A1
                                                                                                    • Address %p has no image-section, xrefs: 631D3060, 631D31B5
                                                                                                    • VirtualProtect failed with code 0x%x, xrefs: 631D317E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryVirtual
                                                                                                    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                                                    • API String ID: 1804819252-1534286854
                                                                                                    • Opcode ID: 5fdcf52be9ce54b6136502381df8b986b6fbf0d8f5b0b80cb06daf912a70db36
                                                                                                    • Instruction ID: ba5cf269c8814246be4fb4e7ae1641c842db3f3eeb914be0b93e720519fde42d
                                                                                                    • Opcode Fuzzy Hash: 5fdcf52be9ce54b6136502381df8b986b6fbf0d8f5b0b80cb06daf912a70db36
                                                                                                    • Instruction Fuzzy Hash: EB41B0B6701B4283DB008F61E89075A77B2FB9AF98F488529DE5D07754EF39C266C780
                                                                                                    Function 630813D0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strchrstrtoul
                                                                                                    • String ID: %I64i$OPENSSL_ia32cap$~$~$~
                                                                                                    • API String ID: 3320651915-3627686136
                                                                                                    • Opcode ID: 7ae7f3dc3160ee471bf9cb715fcd88035a226414c64e45410e282fbf452b89fc
                                                                                                    • Instruction ID: bb08c186b16a0b2c92cd7fd40a69700d661f94b90151b07ebec4f4ae76830202
                                                                                                    • Opcode Fuzzy Hash: 7ae7f3dc3160ee471bf9cb715fcd88035a226414c64e45410e282fbf452b89fc
                                                                                                    • Instruction Fuzzy Hash: F431E066A1575086EB14CF25D49031A37E2FB8AB9CF8C8411DE6C47B64DB3DC294C780
                                                                                                    Function 0040C3A0 Relevance: 10.6, APIs: 7, Instructions: 146threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040C9E0: GetCurrentThreadId.KERNEL32 ref: 0040C9E8
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C3E6
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C3FF
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040C439
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C46C
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C4A5
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C4D3
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040C543
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$CurrentThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 3968769311-0
                                                                                                    • Opcode ID: c8b02d23dded68959a328eca34c105b27ff9441d7639eb393b1dff7d856e67f7
                                                                                                    • Instruction ID: 5c672504ac8ffb0c0c7492b5a3a395c15e0bb8eacf0d2f191186830afc1c8697
                                                                                                    • Opcode Fuzzy Hash: c8b02d23dded68959a328eca34c105b27ff9441d7639eb393b1dff7d856e67f7
                                                                                                    • Instruction Fuzzy Hash: 5241A536301611C9DB259F3AC9D02AF2A50F7487ACB15533BEE0DE7794CA39D8868688
                                                                                                    Function 02B8D5B0 Relevance: 10.6, APIs: 7, Instructions: 146threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8DBF0: GetCurrentThreadId.KERNEL32 ref: 02B8DBF8
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8D5F6
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8D60F
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 02B8D649
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8D67C
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8D6B5
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8D6E3
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 02B8D753
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$CurrentThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 3968769311-0
                                                                                                    • Opcode ID: f201d167e35fc4aada7bb9284b34011fba6f3e3b72a106a534a163d74ec327b7
                                                                                                    • Instruction ID: 11b80937884c6aaa88c4353fe382513261d2ed234124187eba486ffe2e665bbb
                                                                                                    • Opcode Fuzzy Hash: f201d167e35fc4aada7bb9284b34011fba6f3e3b72a106a534a163d74ec327b7
                                                                                                    • Instruction Fuzzy Hash: 5341B23720160789DB25BE39D94035E2B65FB48BADF1592ABDE0DC3794DB71C485CB80
                                                                                                    Function 0040E110 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,?,00000001,0040E20B,00000001,?,?,0040E38F), ref: 0040E149
                                                                                                    • WriteFile.KERNEL32 ref: 0040E16D
                                                                                                    • GetStdHandle.KERNEL32 ref: 0040E178
                                                                                                    • WriteFile.KERNEL32 ref: 0040E1A7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleWrite
                                                                                                    • String ID: Error$Runtime error at 0000000000000000
                                                                                                    • API String ID: 3320372497-326393251
                                                                                                    • Opcode ID: feb560aad91e35d6165a2ea74df617ddc2a783b4343fb85aba1bc9736c4f15a7
                                                                                                    • Instruction ID: e9be9ae87caac9b8cc516abe06e90dcd2086fa4659d0c5753e3c0f142e2f051a
                                                                                                    • Opcode Fuzzy Hash: feb560aad91e35d6165a2ea74df617ddc2a783b4343fb85aba1bc9736c4f15a7
                                                                                                    • Instruction Fuzzy Hash: AF11C471715A4054FF10AB62E8153A632A0B788744F84C22BA59A2A7E1EF3C8294C745
                                                                                                    Function 02B8F330 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,?,00000002,02B8F42B,00000002,?,?,02B8F5AF), ref: 02B8F369
                                                                                                    • WriteFile.KERNEL32 ref: 02B8F38D
                                                                                                    • GetStdHandle.KERNEL32 ref: 02B8F398
                                                                                                    • WriteFile.KERNEL32 ref: 02B8F3C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleWrite
                                                                                                    • String ID: Error$Runtime error at 0000000000000000
                                                                                                    • API String ID: 3320372497-326393251
                                                                                                    • Opcode ID: 07df537a2eb8610d9f50b6acfb35282620404a183f3e0454f5aae36704332d06
                                                                                                    • Instruction ID: 3afcb6814f839490d2905e9a0b24b1c5474ded84c24d2f61fb8ba842e6b1c77f
                                                                                                    • Opcode Fuzzy Hash: 07df537a2eb8610d9f50b6acfb35282620404a183f3e0454f5aae36704332d06
                                                                                                    • Instruction Fuzzy Hash: 6B11DEB1605680A1EB12B760EE543B5736ABB94748F84429BA85E42BE0CF7CC388C702
                                                                                                    Function 02D01BC0 Relevance: 9.1, APIs: 6, Instructions: 140COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 351091851-0
                                                                                                    • Opcode ID: 1f1e1fca213bd4471b9d31fb041f7f210df7707d55576e655a93df060613bcce
                                                                                                    • Instruction ID: b061b6c947fd2e47562efd9414d508f8e688e19917495565be76f99dfc704563
                                                                                                    • Opcode Fuzzy Hash: 1f1e1fca213bd4471b9d31fb041f7f210df7707d55576e655a93df060613bcce
                                                                                                    • Instruction Fuzzy Hash: EC415A33601A548ACB54EF75C8903DE3762F784B9CB549425EA0E4BB68EF38D885D790
                                                                                                    Function 02B88110 Relevance: 9.1, APIs: 6, Instructions: 55fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3320372497-0
                                                                                                    • Opcode ID: 73b7cd4592b2fe3507ff297fed828d499ed5f0f04c3aae22a8ffe58e56e60fd2
                                                                                                    • Instruction ID: 4d1259642b6305c45db6c3ac8fa1f1d0deb66a5cc425e066c0f6094d4963ddf7
                                                                                                    • Opcode Fuzzy Hash: 73b7cd4592b2fe3507ff297fed828d499ed5f0f04c3aae22a8ffe58e56e60fd2
                                                                                                    • Instruction Fuzzy Hash: F311482232142446EB15BB729C103AA6347A789FD8F9402B2FD1E47BD4CF38C182CB80
                                                                                                    Function 004184E5 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise
                                                                                                    • String ID: H
                                                                                                    • API String ID: 3997070919-2852464175
                                                                                                    • Opcode ID: c43b60d8cf72a3823d7451ae9afc9a8553ce3dc008d3a1effab51d3691ce45d7
                                                                                                    • Instruction ID: ecd8838c27581fc748442bedbc61a2ad0fe478820062ad8a2277ddbcdb90897b
                                                                                                    • Opcode Fuzzy Hash: c43b60d8cf72a3823d7451ae9afc9a8553ce3dc008d3a1effab51d3691ce45d7
                                                                                                    • Instruction Fuzzy Hash: 99D1D236218B8486E771DB16E49439AB7A1F7C8788F50412AEACE47B68DF7CC584CB44
                                                                                                    Function 031E3540 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 237COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Read
                                                                                                    • String ID: libeay32.dll
                                                                                                    • API String ID: 946204249-3360492
                                                                                                    • Opcode ID: fe5a314a642635b12c67224c3d5e1c5f22630304d33d8e5399b22d63ed1a07eb
                                                                                                    • Instruction ID: b049cd517f0f2e5689995002aeafe4f2898430672d8c3095541474ac8553f40d
                                                                                                    • Opcode Fuzzy Hash: fe5a314a642635b12c67224c3d5e1c5f22630304d33d8e5399b22d63ed1a07eb
                                                                                                    • Instruction Fuzzy Hash: CED1D33A200FC599DB70DF26C8903E93766F388B98F418526CA4E4BB68DF35C289C751
                                                                                                    Function 031DAF10 Relevance: 8.9, APIs: 7, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 031DB00A
                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 031DB01D
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 031DB118
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 031DB15D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Leave$Enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 2978645861-0
                                                                                                    • Opcode ID: 4f6ec25c0a54857c4fa1d2f3e92ee4474ee3f8327e6132cc0da0e862552bb026
                                                                                                    • Instruction ID: abf6642f5d7879eb47e33f37c37d04acf35bad57b66c50be2870909b04d1ff89
                                                                                                    • Opcode Fuzzy Hash: 4f6ec25c0a54857c4fa1d2f3e92ee4474ee3f8327e6132cc0da0e862552bb026
                                                                                                    • Instruction Fuzzy Hash: 7E611436214B848ADB10EF3AD8903ED77A5F78AB88F558122DA4E47B79DF30C985C741
                                                                                                    Function 63081010 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep_amsg_exit
                                                                                                    • String ID: )c
                                                                                                    • API String ID: 1015461914-75524125
                                                                                                    • Opcode ID: 2d47ec537e41e8008ae4b7242e6b1a458a7845992c8306f8025732fe663f9dc8
                                                                                                    • Instruction ID: 289a964b45591193e58382a47245eb046469693443800d1ce9875b6169c4fbec
                                                                                                    • Opcode Fuzzy Hash: 2d47ec537e41e8008ae4b7242e6b1a458a7845992c8306f8025732fe663f9dc8
                                                                                                    • Instruction Fuzzy Hash: 4641C33270164186FF0A8B1BEC6135922A6FF85FD4F888426DE2C47354DE7ACA95C790
                                                                                                    Function 02F841B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$CloseFreeHandleLoadOpenProcess
                                                                                                    • String ID: PSAPI.dll
                                                                                                    • API String ID: 168809992-1989959638
                                                                                                    • Opcode ID: cbedb35af0815985903ec14e65f9e6d5b93b9b7bd49771cca56bcee24668c52e
                                                                                                    • Instruction ID: ef9bf2e9947bbc9f156cdd8c5423743261fa8c6bd5d423cd879ea66a574d51a9
                                                                                                    • Opcode Fuzzy Hash: cbedb35af0815985903ec14e65f9e6d5b93b9b7bd49771cca56bcee24668c52e
                                                                                                    • Instruction Fuzzy Hash: B841CB32600AC58EEB70EF35D844BD933A2F74678CF408169DB4D8BB18DB349A85CB41
                                                                                                    Function 0306DDE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • Unable to initialise OpenSSL, xrefs: 0306DE9C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalFreeLibrarySection$EnterLeave
                                                                                                    • String ID: Unable to initialise OpenSSL
                                                                                                    • API String ID: 2860124073-1844264001
                                                                                                    • Opcode ID: 357e5594cfbb8b60728dd1088f20c1167f65c7d9bc4c78b41e984a98f73bd10a
                                                                                                    • Instruction ID: 145a208074c46ae25eec89b80cc9179fe8d2789d6dc3e3c292d1d26c63f5c546
                                                                                                    • Opcode Fuzzy Hash: 357e5594cfbb8b60728dd1088f20c1167f65c7d9bc4c78b41e984a98f73bd10a
                                                                                                    • Instruction Fuzzy Hash: 8231F236201E44C8EB46EF26E8A039D73A9F759F84F894422DA0D47778CF38C989C790
                                                                                                    Function 02B8D240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,02B8D3D2,?,?,?,?,02B96E28), ref: 02B8D25A
                                                                                                    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,02B8D3D2,?,?,?,?,02B96E28), ref: 02B8D269
                                                                                                    • GetLogicalProcessorInformation.KERNEL32(?,?,?,?,?,?,?,?,?,02B8D3D2,?,?,?,?,02B96E28), ref: 02B8D2A5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleInformationLogicalModuleProcProcessor
                                                                                                    • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                                                    • API String ID: 4292003513-812649623
                                                                                                    • Opcode ID: 9b9321e6cd49e53a415579cab475ade58907349ef645dfc8850ae596bfe29a5a
                                                                                                    • Instruction ID: 2fd705dc27d834b0c84a24aa530d44f5961cac2ae43047848f3fcd33b2306a58
                                                                                                    • Opcode Fuzzy Hash: 9b9321e6cd49e53a415579cab475ade58907349ef645dfc8850ae596bfe29a5a
                                                                                                    • Instruction Fuzzy Hash: 70214472601A16CDDB58FF36D5843AD3BA5EB00B98F14609AF64E47B98EB74C8C4C780
                                                                                                    Function 02F81610 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B9E130: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,031F621F), ref: 02B9E162
                                                                                                      • Part of subcall function 02B9E130: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,031F621F), ref: 02B9E18E
                                                                                                    • FreeLibrary.KERNEL32 ref: 02F816D1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$FreeLibrary
                                                                                                    • String ID: CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$advapi32.dll
                                                                                                    • API String ID: 1649943339-171673395
                                                                                                    • Opcode ID: 2076bb3485a5605d8466da0316761d160d145886a2b0a6308af9a3cbca8db55c
                                                                                                    • Instruction ID: 3a2295fea6a61ebc55860663ca95a8f91da69881cfeab068e53c0a20bdfa2e31
                                                                                                    • Opcode Fuzzy Hash: 2076bb3485a5605d8466da0316761d160d145886a2b0a6308af9a3cbca8db55c
                                                                                                    • Instruction Fuzzy Hash: CA211832200A95CEDB14EF35D8883EE37A6F78478CF581126F64E46A68DF74C086CB80
                                                                                                    Function 02CFD440 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 12libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID: kernel32.dll$ntdll.dll$user32.dll
                                                                                                    • API String ID: 1029625771-3818928520
                                                                                                    • Opcode ID: 1dc84348b26b4d04fac6db6cdd9369c517628ee38394f8f47d2f6fb1405cdf8b
                                                                                                    • Instruction ID: 00d4e44a9a9e5e4caf29d78bd8842d355beb8b2bb12610274f9ab9ce178f58a7
                                                                                                    • Opcode Fuzzy Hash: 1dc84348b26b4d04fac6db6cdd9369c517628ee38394f8f47d2f6fb1405cdf8b
                                                                                                    • Instruction Fuzzy Hash: 66E06730502A00E1EA45EF11EDA775A77AAB751300FA14976C04E46661FF28D6558740
                                                                                                    Function 02D0B8E0 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d3c1c605c9fd3f52d50adcab4e09599661d7701e40842187deffc8af03674dfe
                                                                                                    • Instruction ID: 21df094c9b49e512d7a086b8c39e9e313da8a598e3d6200897f62d7f6ed702dc
                                                                                                    • Opcode Fuzzy Hash: d3c1c605c9fd3f52d50adcab4e09599661d7701e40842187deffc8af03674dfe
                                                                                                    • Instruction Fuzzy Hash: 7DD10C27204A95D9CB64DF39C4D03ED3B62F784B8DB905012EA8E47BB9DF25C985C7A0
                                                                                                    Function 63088BC0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: obj_lib.c$s
                                                                                                    • API String ID: 3510742995-2322980213
                                                                                                    • Opcode ID: f49bfa01cb19e80a7b9da3f7670c1125dd333640d3f99bf773ddbb919df79433
                                                                                                    • Instruction ID: dacd4b2dcf8945a349655eb852e1a3b7ec570634e014581c62e95168f4285adb
                                                                                                    • Opcode Fuzzy Hash: f49bfa01cb19e80a7b9da3f7670c1125dd333640d3f99bf773ddbb919df79433
                                                                                                    • Instruction Fuzzy Hash: 0451D3A272275086FF11CF15D80472A27D6FB82F94F8689299E280B394EF7EC55DC750
                                                                                                    Function 631498A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: err.c$unknown
                                                                                                    • API String ID: 0-194724225
                                                                                                    • Opcode ID: d05e8e9efa834777e2d360079798b362c4d29a384839cb7d1d51d74d2873067f
                                                                                                    • Instruction ID: 7be473f96e2b465dc7e8c033ef42845ce9f133d421b0629321af012fbeaea617
                                                                                                    • Opcode Fuzzy Hash: d05e8e9efa834777e2d360079798b362c4d29a384839cb7d1d51d74d2873067f
                                                                                                    • Instruction Fuzzy Hash: 1C51EC32B806058BFB108F11E83079923A2F796F98F985425CD085B7A5DF7ECA99C3C1
                                                                                                    Function 0040C030 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLogicalProcessorInformation.KERNEL32 ref: 0040C06D
                                                                                                    • GetLogicalProcessorInformation.KERNEL32 ref: 0040C095
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InformationLogicalProcessor
                                                                                                    • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                                                    • API String ID: 1773637529-812649623
                                                                                                    • Opcode ID: f754f73ba95b40a970c784cea538e301e4ab55cb8d82fa80798f915e757527e7
                                                                                                    • Instruction ID: b4036345117be647e3b1e0efa6a9641263b648d93ae137b3594f89fd11b169f3
                                                                                                    • Opcode Fuzzy Hash: f754f73ba95b40a970c784cea538e301e4ab55cb8d82fa80798f915e757527e7
                                                                                                    • Instruction Fuzzy Hash: E0213772602614C8DB54EF76C5C13AA3B61EB4479CF10612BF60B67B99DB79C8C2C788
                                                                                                    Function 63088A30 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: isalnumisspace
                                                                                                    • String ID:
                                                                                                    • API String ID: 1594587697-0
                                                                                                    • Opcode ID: ab42b4f4914444569f7967ea85e87916e32aa2a9ecd2d9b83f3de635cd60b107
                                                                                                    • Instruction ID: 2acf5524d6537f1bb2e84dbcd183e07a01130e7558967abb0af2d4c79a743dbd
                                                                                                    • Opcode Fuzzy Hash: ab42b4f4914444569f7967ea85e87916e32aa2a9ecd2d9b83f3de635cd60b107
                                                                                                    • Instruction Fuzzy Hash: 563129A17492A484FF018B3F99703AA6FE6BB46FD4F8D0461EE6547391E63AC259C310
                                                                                                    Function 00412EB0 Relevance: 6.1, APIs: 4, Instructions: 106threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadUILanguage.KERNEL32 ref: 00412EC9
                                                                                                    • SetThreadPreferredUILanguages.KERNEL32 ref: 00412F44
                                                                                                    • SetThreadPreferredUILanguages.KERNEL32 ref: 00412FB0
                                                                                                    • SetThreadPreferredUILanguages.KERNEL32 ref: 00412FF0
                                                                                                      • Part of subcall function 00412E50: GetThreadPreferredUILanguages.KERNEL32(?,?,?,00000000,?,00412F56), ref: 00412E75
                                                                                                      • Part of subcall function 00412E50: GetThreadPreferredUILanguages.KERNEL32(?,?,?,00000000,?,00412F56), ref: 00412E9E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$LanguagesPreferred$Language
                                                                                                    • String ID:
                                                                                                    • API String ID: 2255706666-0
                                                                                                    • Opcode ID: 6802968e1c0ee8af10eb4383f172149b9e8f0f5e546451e226d0c101f8c6265a
                                                                                                    • Instruction ID: 578ced364fb8eaaaae306f6f71c92a83ce38f2e20ba24fdd56e91d50615d0011
                                                                                                    • Opcode Fuzzy Hash: 6802968e1c0ee8af10eb4383f172149b9e8f0f5e546451e226d0c101f8c6265a
                                                                                                    • Instruction Fuzzy Hash: 3431B27221166089DB54DF36CA543EA3762FB44BCCF446026FA0687B58DF78C9C6C344
                                                                                                    Function 02B951B0 Relevance: 6.1, APIs: 4, Instructions: 106threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadUILanguage.KERNEL32 ref: 02B951C9
                                                                                                    • SetThreadPreferredUILanguages.KERNEL32 ref: 02B95244
                                                                                                    • SetThreadPreferredUILanguages.KERNEL32 ref: 02B952B0
                                                                                                    • SetThreadPreferredUILanguages.KERNEL32 ref: 02B952F0
                                                                                                      • Part of subcall function 02B95150: GetThreadPreferredUILanguages.KERNEL32(?,?,?,00000000,?,02B95256), ref: 02B95175
                                                                                                      • Part of subcall function 02B95150: GetThreadPreferredUILanguages.KERNEL32(?,?,?,00000000,?,02B95256), ref: 02B9519E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Thread$LanguagesPreferred$Language
                                                                                                    • String ID:
                                                                                                    • API String ID: 2255706666-0
                                                                                                    • Opcode ID: b9684c59831775c199c47cd053ba1f43048f8ea7ae1302ce9630458bc133c273
                                                                                                    • Instruction ID: 23290fd530aed16c85d2d573bf5dfb1e80b3df7658337346124f180218241249
                                                                                                    • Opcode Fuzzy Hash: b9684c59831775c199c47cd053ba1f43048f8ea7ae1302ce9630458bc133c273
                                                                                                    • Instruction Fuzzy Hash: 4131DD722116609ADF6AEF35CA543EE3762EB44BCCF846025EA0B47B58DB38C885C740
                                                                                                    Function 02E09E80 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CurrentMessagePost$ProcessThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1966937557-0
                                                                                                    • Opcode ID: 42bd6e0802f3be74a747a7d5bdfb02c278a82523ce12700f89a16c739e8e4ed1
                                                                                                    • Instruction ID: 95f11aa6644ebda02f7310038f716e8fe92ec3e7138374e4004345910062ae30
                                                                                                    • Opcode Fuzzy Hash: 42bd6e0802f3be74a747a7d5bdfb02c278a82523ce12700f89a16c739e8e4ed1
                                                                                                    • Instruction Fuzzy Hash: 6B413632211B84CEDB64DF7AD8947E83BA1F704B8CF146126EA0E47B5ACB75D592C740
                                                                                                    Function 631E0050 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsDBCSLeadByteEx.KERNEL32 ref: 631E00AA
                                                                                                    • MultiByteToWideChar.KERNEL32 ref: 631E00EA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Byte$CharLeadMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2561704868-0
                                                                                                    • Opcode ID: 4f31d0a6dcb906726fd324107183541e83d4d19845094dc4346d549075880897
                                                                                                    • Instruction ID: 18efeb1045612ffb53d3284c12d3582986fd3613d51434886efd11e6c7fb4276
                                                                                                    • Opcode Fuzzy Hash: 4f31d0a6dcb906726fd324107183541e83d4d19845094dc4346d549075880897
                                                                                                    • Instruction Fuzzy Hash: 093186B6708B8087E3518F2AF81034A76A1F795F94F488215EAE49BB95DF7EC195CB00
                                                                                                    Function 02E09D20 Relevance: 6.1, APIs: 4, Instructions: 89windowthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CurrentMessagePost$ProcessThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1966937557-0
                                                                                                    • Opcode ID: fad9a8b37e8454528185d972ce2b44a9fc607af2ba9ae369ca5fc4144ef6b93d
                                                                                                    • Instruction ID: 7845717a13e601b0ad588588f7502992272f7eec8613c609597f17980bbfffc1
                                                                                                    • Opcode Fuzzy Hash: fad9a8b37e8454528185d972ce2b44a9fc607af2ba9ae369ca5fc4144ef6b93d
                                                                                                    • Instruction Fuzzy Hash: 10415932242B85CADB65DF35D8847D83BA1F305B8CF006226EA4E87B5ADB35D5C2C700
                                                                                                    Function 02B95320 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 02B95381
                                                                                                    • EnterCriticalSection.KERNEL32 ref: 02B95457
                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 02B95490
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Leave$Enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 2978645861-0
                                                                                                    • Opcode ID: 102235d5c4638e4d4829b14c0d1ab309a75e6202cd76c7051d4b9503bf78c665
                                                                                                    • Instruction ID: 7f32bf5915386bdf9716fc6bbe87841764f28aaf0f278fdfbd4e4049f2a3887a
                                                                                                    • Opcode Fuzzy Hash: 102235d5c4638e4d4829b14c0d1ab309a75e6202cd76c7051d4b9503bf78c665
                                                                                                    • Instruction Fuzzy Hash: FA414C35220A1188DF21FF75D8903ED2726EB4479CF946562EB0E47B68EF78C585CB90
                                                                                                    Function 63081370 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3536220146.0000000063081000.00000040.00001000.00020000.00000000.sdmp, Offset: 63080000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3536200814.0000000063080000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063238000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.000000006325F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.0000000063280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3536220146.00000000632A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_63080000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _lock_unlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 2848772494-0
                                                                                                    • Opcode ID: 89b3c947f0a54fc1b794e299c810485419fa496df16d59da35415977b850916c
                                                                                                    • Instruction ID: ebc4bd3d7d94ce3c010cc5563f80e01e2c0bd1d177a9e219431e325ac9bdd1df
                                                                                                    • Opcode Fuzzy Hash: 89b3c947f0a54fc1b794e299c810485419fa496df16d59da35415977b850916c
                                                                                                    • Instruction Fuzzy Hash: C0115E62702F4483EF058B6AD95035862E5EB55FE8F48C535DA6C4B3C8EF79C491C350
                                                                                                    Function 00407FF0 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00403FD5), ref: 00408045
                                                                                                    • WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00403FD5), ref: 00408073
                                                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00403FD5), ref: 0040807E
                                                                                                    • WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00403FD5), ref: 004080A4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3512211062.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3512192218.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008B7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3512211062.00000000008D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3517512422.0000000000902000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_EEghgCvQUy.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3320372497-0
                                                                                                    • Opcode ID: c91353dc89f518c86d1aba9e4bc8fd96b85897fe27a58436f5c3451583c00797
                                                                                                    • Instruction ID: 41c510431c088b0c9949f9785689888b3aaf96f229a1689b83ef940d6c284b0f
                                                                                                    • Opcode Fuzzy Hash: c91353dc89f518c86d1aba9e4bc8fd96b85897fe27a58436f5c3451583c00797
                                                                                                    • Instruction Fuzzy Hash: 0811A02231095444EA14AB73AC1179A6651A785BDCF84863BBE4B2BBD9CF3CC0918784
                                                                                                    Function 02BB91A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.3523023859.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.3523002792.0000000002B80000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032CF000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.3523023859.00000000032D8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b80000_EEghgCvQUy.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: DateFormatLocaleThread
                                                                                                    • String ID: yyyy
                                                                                                    • API String ID: 3303714858-3145165042
                                                                                                    • Opcode ID: b95d9387a4faef1d4f28b51f71974c5c9cca524b9bbe22d06ea6b579b74bfc22
                                                                                                    • Instruction ID: ebd2a2ba4df170bcbba29fbbd89cc8350d440e29809b999b9aeffe43536ed991
                                                                                                    • Opcode Fuzzy Hash: b95d9387a4faef1d4f28b51f71974c5c9cca524b9bbe22d06ea6b579b74bfc22
                                                                                                    • Instruction Fuzzy Hash: 3D313832615A80C9DB64EF75C8847EC3761FB88B88F505112EB4D87B68DF76C584CB40