Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aqbjn3fl.exe

Overview

General Information

Sample name:aqbjn3fl.exe
Analysis ID:1577502
MD5:34a152eb5d1d3e63dafef23579042933
SHA1:9e1c23718d5b30c13d0cec51ba3484ddc32a3184
SHA256:42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa
Tags:18521511316185215113209bulletproofexeLummaStealeruser-abus3reports
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • aqbjn3fl.exe (PID: 5360 cmdline: "C:\Users\user\Desktop\aqbjn3fl.exe" MD5: 34A152EB5D1D3E63DAFEF23579042933)
    • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aqbjn3fl.exe (PID: 4260 cmdline: "C:\Users\user\Desktop\aqbjn3fl.exe" MD5: 34A152EB5D1D3E63DAFEF23579042933)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["p3ar11fter.sbs", "3xp3cts1aim.sbs", "librari-night.sbs", "push-hook.cyou", "p10tgrace.sbs", "owner-vacat10n.sbs", "befall-sm0ker.sbs", "peepburry828.sbs", "processhol.sbs"], "Build id": "FATE99--november"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.aqbjn3fl.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            3.2.aqbjn3fl.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:06.857533+010020283713Unknown Traffic192.168.2.84971023.55.153.106443TCP
              2024-12-18T14:30:09.406227+010020283713Unknown Traffic192.168.2.849711172.67.157.254443TCP
              2024-12-18T14:30:10.981632+010020283713Unknown Traffic192.168.2.849712172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:10.009979+010020546531A Network Trojan was detected192.168.2.849711172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:10.009979+010020498361A Network Trojan was detected192.168.2.849711172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:04.831379+010020576951A Network Trojan was detected192.168.2.8524241.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:05.063325+010020576981A Network Trojan was detected192.168.2.8577871.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:04.168631+010020576961A Network Trojan was detected192.168.2.8592321.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:03.233194+010020576971A Network Trojan was detected192.168.2.8543071.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:04.831379+010020576521Domain Observed Used for C2 Detected192.168.2.8524241.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:03.700559+010020576541Domain Observed Used for C2 Detected192.168.2.8586891.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:03.465654+010020576581Domain Observed Used for C2 Detected192.168.2.8616921.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:04.490999+010020576601Domain Observed Used for C2 Detected192.168.2.8511821.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:03.938536+010020576621Domain Observed Used for C2 Detected192.168.2.8529111.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:05.063325+010020576641Domain Observed Used for C2 Detected192.168.2.8577871.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:04.168631+010020576661Domain Observed Used for C2 Detected192.168.2.8592321.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:03.233194+010020576681Domain Observed Used for C2 Detected192.168.2.8543071.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:03.003968+010020578381Domain Observed Used for C2 Detected192.168.2.8637921.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T14:30:07.638934+010028586661Domain Observed Used for C2 Detected192.168.2.84971023.55.153.106443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: aqbjn3fl.exeAvira: detected
              Antivirus detection for URL or domain
              Source: push-hook.cyouAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["p3ar11fter.sbs", "3xp3cts1aim.sbs", "librari-night.sbs", "push-hook.cyou", "p10tgrace.sbs", "owner-vacat10n.sbs", "befall-sm0ker.sbs", "peepburry828.sbs", "processhol.sbs"], "Build id": "FATE99--november"}
              Multi AV Scanner detection for submitted file
              Source: aqbjn3fl.exeReversingLabs: Detection: 78%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.5% probability
              Machine Learning detection for sample
              Source: aqbjn3fl.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: p3ar11fter.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 3xp3cts1aim.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: owner-vacat10n.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: peepburry828.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: p10tgrace.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: befall-sm0ker.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: librari-night.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: processhol.sbs
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: push-hook.cyou
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: FATE99--november
              Source: aqbjn3fl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49711 version: TLS 1.2
              Source: aqbjn3fl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009DF6A0 FindFirstFileExW,0_2_009DF6A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009DF751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_009DF751
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009DF6A0 FindFirstFileExW,3_2_009DF6A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009DF751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_009DF751
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-532F9054h]3_2_0040A874
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-05h]3_2_0040BDB0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov byte ptr [eax], bl3_2_0040CEF5
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]3_2_00403060
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]3_2_00424800
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then jmp dword ptr [00446B78h]3_2_0041ECF4
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then jmp eax3_2_00418940
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]3_2_00409150
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]3_2_00425150
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_00423560
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h3_2_00441160
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then push eax3_2_00418D27
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004195D1
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov esi, edx3_2_00427E50
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-69h]3_2_00427E50
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+4B5D9729h]3_2_0040CA6A
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-29h]3_2_0041DE73
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov ecx, eax3_2_00425A75
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov ecx, eax3_2_00425A75
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edi, byte ptr [esi+eax+08h]3_2_0041B634
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-3DC4CF7Bh]3_2_004252A2
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edx, byte ptr [edi+ecx+26702EC9h]3_2_0041A6A3
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov ecx, eax3_2_004272A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx ebp, word ptr [eax]3_2_004412A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]3_2_00401F50
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h3_2_0043BF10
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov ecx, edx3_2_004237C0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi+04h]3_2_0043BFC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-29h]3_2_0041DBD4
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-6Ah]3_2_0041DBDB
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx edi, word ptr [edi+ecx*4]3_2_00407BB0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]3_2_00407BB0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_00407BB0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 4x nop then mov ebx, edx3_2_004277BD

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2057652 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs) : 192.168.2.8:52424 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057654 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs) : 192.168.2.8:58689 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057660 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs) : 192.168.2.8:51182 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057666 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs) : 192.168.2.8:59232 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057696 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs) : 192.168.2.8:59232 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057664 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p3ar11fter .sbs) : 192.168.2.8:57787 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057698 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs) : 192.168.2.8:57787 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057662 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs) : 192.168.2.8:52911 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057695 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs) : 192.168.2.8:52424 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.8:61692 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057838 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (push-hook .cyou) : 192.168.2.8:63792 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.8:54307 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.8:54307 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49710 -> 23.55.153.106:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49711 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49711 -> 172.67.157.254:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: p3ar11fter.sbs
              Source: Malware configuration extractorURLs: 3xp3cts1aim.sbs
              Source: Malware configuration extractorURLs: librari-night.sbs
              Source: Malware configuration extractorURLs: push-hook.cyou
              Source: Malware configuration extractorURLs: p10tgrace.sbs
              Source: Malware configuration extractorURLs: owner-vacat10n.sbs
              Source: Malware configuration extractorURLs: befall-sm0ker.sbs
              Source: Malware configuration extractorURLs: peepburry828.sbs
              Source: Malware configuration extractorURLs: processhol.sbs
              Source: Joe Sandbox ViewIP Address: 172.67.157.254 172.67.157.254
              Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 23.55.153.106:443
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: push-hook.cyou
              Source: global trafficDNS traffic detected: DNS query: processhol.sbs
              Source: global trafficDNS traffic detected: DNS query: librari-night.sbs
              Source: global trafficDNS traffic detected: DNS query: befall-sm0ker.sbs
              Source: global trafficDNS traffic detected: DNS query: p10tgrace.sbs
              Source: global trafficDNS traffic detected: DNS query: peepburry828.sbs
              Source: global trafficDNS traffic detected: DNS query: owner-vacat10n.sbs
              Source: global trafficDNS traffic detected: DNS query: 3xp3cts1aim.sbs
              Source: global trafficDNS traffic detected: DNS query: p3ar11fter.sbs
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
              Source: aqbjn3fl.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: aqbjn3fl.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
              Source: aqbjn3fl.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: aqbjn3fl.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
              Source: aqbjn3fl.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
              Source: aqbjn3fl.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
              Source: aqbjn3fl.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: aqbjn3fl.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
              Source: aqbjn3fl.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
              Source: aqbjn3fl.exeString found in binary or memory: http://ocsp.comodoca.com0
              Source: aqbjn3fl.exeString found in binary or memory: http://ocsp.sectigo.com0
              Source: aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastH
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.st
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstaK
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.co
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DW
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000361C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000361C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
              Source: aqbjn3fl.exe, 00000003.00000003.1592122314.00000000036CC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1593458632.00000000036CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
              Source: aqbjn3fl.exe, 00000003.00000003.1592122314.00000000036CC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1593458632.00000000036CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/2
              Source: aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
              Source: aqbjn3fl.exe, 00000003.00000003.1592122314.00000000036CC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1593458632.00000000036CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
              Source: aqbjn3fl.exeString found in binary or memory: https://sectigo.com/CPS0
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
              Source: aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
              Source: aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
              Source: aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.8:49711 version: TLS 1.2
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00433CD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_00433CD0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00433CD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_00433CD0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009CD4C00_2_009CD4C0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D4CF00_2_009D4CF0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D6CF00_2_009D6CF0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C4CE00_2_009C4CE0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D68200_2_009D6820
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C34600_2_009C3460
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D78600_2_009D7860
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D41900_2_009D4190
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009B59300_2_009B5930
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C49300_2_009C4930
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009CDD200_2_009CDD20
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D1D500_2_009D1D50
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C81490_2_009C8149
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BB9640_2_009BB964
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C56100_2_009C5610
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009E5E420_2_009E5E42
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D13870_2_009D1387
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C5F800_2_009C5F80
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C9BA00_2_009C9BA0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C3FA00_2_009C3FA0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C2B070_2_009C2B07
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C63500_2_009C6350
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D73500_2_009D7350
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C7F740_2_009C7F74
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BA36B0_2_009BA36B
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009CF3600_2_009CF360
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0040B6E03_2_0040B6E0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0040CEF53_2_0040CEF5
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004393103_2_00439310
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00408F203_2_00408F20
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004044403_2_00404440
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004030603_2_00403060
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004248003_2_00424800
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00406C103_2_00406C10
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00402CC03_2_00402CC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00420CD03_2_00420CD0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004418D03_2_004418D0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041FC803_2_0041FC80
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004060903_2_00406090
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041F0903_2_0041F090
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004070A03_2_004070A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004400A03_2_004400A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0040DCB73_2_0040DCB7
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004099403_2_00409940
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004091503_2_00409150
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004065503_2_00406550
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0042F9603_2_0042F960
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004389703_2_00438970
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00409DC03_2_00409DC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004195D13_2_004195D1
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0040ADE03_2_0040ADE0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004415B03_2_004415B0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00427E503_2_00427E50
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00403A603_2_00403A60
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00425A753_2_00425A75
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0040B2203_2_0040B220
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0043FB703_2_0043FB70
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00424EE03_2_00424EE0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041BAE63_2_0041BAE6
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041B2F03_2_0041B2F0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00439AF03_2_00439AF0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041CA803_2_0041CA80
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00420EA03_2_00420EA0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041A6A33_2_0041A6A3
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004412A03_2_004412A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041DF603_2_0041DF60
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0043BB703_2_0043BB70
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0043FB703_2_0043FB70
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041F7103_2_0041F710
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004387103_2_00438710
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041AB3B3_2_0041AB3B
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004237C03_2_004237C0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0043FFD03_2_0043FFD0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00427BEB3_2_00427BEB
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0042A3F03_2_0042A3F0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00441BF03_2_00441BF0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0041C3FA3_2_0041C3FA
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00404F8F3_2_00404F8F
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00422BA03_2_00422BA0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00407BB03_2_00407BB0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_004277BD3_2_004277BD
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009CC0C03_2_009CC0C0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009B10003_2_009B1000
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D68203_2_009D6820
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D78603_2_009D7860
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D41903_2_009D4190
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BA1803_2_009BA180
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C01B03_2_009C01B0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009B59303_2_009B5930
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C49303_2_009C4930
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C2AC03_2_009C2AC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C9BA03_2_009C9BA0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C7BF03_2_009C7BF0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C63503_2_009C6350
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D73503_2_009D7350
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009CF3603_2_009CF360
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC03_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009CD4C03_2_009CD4C0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D4CF03_2_009D4CF0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D6CF03_2_009D6CF0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C4CE03_2_009C4CE0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C34603_2_009C3460
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009B55403_2_009B5540
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009CDE903_2_009CDE90
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C56103_2_009C5610
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009E5E423_2_009E5E42
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009B3E603_2_009B3E60
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C5F803_2_009C5F80
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C3FA03_2_009C3FA0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: String function: 009D98B0 appears 63 times
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: String function: 009DCB18 appears 35 times
              Source: aqbjn3fl.exeStatic PE information: invalid certificate
              Source: aqbjn3fl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: aqbjn3fl.exeStatic PE information: Section: .bOS ZLIB complexity 1.0003366361788617
              Source: classification engineClassification label: mal100.troj.evad.winEXE@4/0@11/2
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_00439310 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_00439310
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
              Source: aqbjn3fl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\aqbjn3fl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: aqbjn3fl.exeReversingLabs: Detection: 78%
              Source: C:\Users\user\Desktop\aqbjn3fl.exeFile read: C:\Users\user\Desktop\aqbjn3fl.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"
              Source: C:\Users\user\Desktop\aqbjn3fl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\aqbjn3fl.exeProcess created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"
              Source: C:\Users\user\Desktop\aqbjn3fl.exeProcess created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"Jump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: aqbjn3fl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: aqbjn3fl.exeStatic PE information: section name: .00cfg
              Source: aqbjn3fl.exeStatic PE information: section name: .bOS
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009E011A push ecx; ret 0_2_009E012D
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009E011A push ecx; ret 3_2_009E012D
              Source: aqbjn3fl.exeStatic PE information: section name: .text entropy: 6.95731113161578
              Source: C:\Users\user\Desktop\aqbjn3fl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeAPI coverage: 8.6 %
              Source: C:\Users\user\Desktop\aqbjn3fl.exe TID: 4808Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exe TID: 4808Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009DF6A0 FindFirstFileExW,0_2_009DF6A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009DF751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_009DF751
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009DF6A0 FindFirstFileExW,3_2_009DF6A0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009DF751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_009DF751
              Source: aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1591874242.000000000361C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000361C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_0043E470 LdrInitializeThunk,3_2_0043E470
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D96CF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009D96CF
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009ED18D mov edi, dword ptr fs:[00000030h]0_2_009ED18D
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BD478 mov edi, dword ptr fs:[00000030h]0_2_009BD478
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BD07E mov edi, dword ptr fs:[00000030h]0_2_009BD07E
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C2C60 mov eax, dword ptr fs:[00000030h]0_2_009C2C60
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C2C60 mov eax, dword ptr fs:[00000030h]0_2_009C2C60
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BCD0A mov edi, dword ptr fs:[00000030h]0_2_009BCD0A
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BCD0A mov edi, dword ptr fs:[00000030h]0_2_009BCD0A
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BE946 mov edi, dword ptr fs:[00000030h]0_2_009BE946
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BD6BB mov edi, dword ptr fs:[00000030h]0_2_009BD6BB
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BD6BB mov edi, dword ptr fs:[00000030h]0_2_009BD6BB
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C2BBB mov eax, dword ptr fs:[00000030h]0_2_009C2BBB
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009C2BBB mov eax, dword ptr fs:[00000030h]0_2_009C2BBB
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009BE359 mov edi, dword ptr fs:[00000030h]0_2_009BE359
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C2AC0 mov eax, dword ptr fs:[00000030h]3_2_009C2AC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C2AC0 mov eax, dword ptr fs:[00000030h]3_2_009C2AC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C2AC0 mov eax, dword ptr fs:[00000030h]3_2_009C2AC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C2AC0 mov eax, dword ptr fs:[00000030h]3_2_009C2AC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009C2AC0 mov eax, dword ptr fs:[00000030h]3_2_009C2AC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009BCCC0 mov edi, dword ptr fs:[00000030h]3_2_009BCCC0
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009DCB30 GetProcessHeap,0_2_009DCB30
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D904F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009D904F
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D96CF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009D96CF
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D96C3 SetUnhandledExceptionFilter,0_2_009D96C3
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009DB7BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009DB7BA
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D904F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_009D904F
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D96CF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_009D96CF
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009D96C3 SetUnhandledExceptionFilter,3_2_009D96C3
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 3_2_009DB7BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_009DB7BA

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Contains functionality to inject code into remote processes
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009ED18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_009ED18D
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\aqbjn3fl.exeMemory written: C:\Users\user\Desktop\aqbjn3fl.exe base: 400000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: aqbjn3fl.exe, 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: p3ar11fter.sbs
              Source: aqbjn3fl.exe, 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 3xp3cts1aim.sbs
              Source: aqbjn3fl.exe, 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: peepburry828.sbs
              Source: aqbjn3fl.exe, 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: p10tgrace.sbs
              Source: aqbjn3fl.exe, 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: processhol.sbs
              Source: C:\Users\user\Desktop\aqbjn3fl.exeProcess created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"Jump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D98F5 cpuid 0_2_009D98F5
              Source: C:\Users\user\Desktop\aqbjn3fl.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\aqbjn3fl.exeCode function: 0_2_009D9586 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009D9586
              Source: C:\Users\user\Desktop\aqbjn3fl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: 3.2.aqbjn3fl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.aqbjn3fl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: 3.2.aqbjn3fl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.aqbjn3fl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		211
              Process Injection              		1
              Virtualization/Sandbox Evasion              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		211
              Process Injection              		LSASS Memory21
              Security Software Discovery              		Remote Desktop Protocol2
              Clipboard Data              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information              		Security Account Manager1
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
              Obfuscated Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Software Packing              		LSA Secrets33
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              aqbjn3fl.exe79%ReversingLabsWin32.Trojan.Stealerc
              aqbjn3fl.exe100%AviraHEUR/AGEN.1361736
              aqbjn3fl.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://lev-tolstoi.com/0%Avira URL Cloudsafe
              push-hook.cyou100%Avira URL Cloudmalware
              https://community.fastH0%Avira URL Cloudsafe
              https://community.fastly.steamstaK0%Avira URL Cloudsafe
              https://community.fastly.steamstatic.co0%Avira URL Cloudsafe
              https://community.fastly.steamstatic.0%Avira URL Cloudsafe
              https://community.fastly.st0%Avira URL Cloudsafe
              https://lev-tolstoi.com/20%Avira URL Cloudsafe
              https://lev-tolstoi.com/pi0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              steamcommunity.com
              		23.55.153.106
              		truefalse
                		high
                lev-tolstoi.com
                		172.67.157.254
                		truefalse
                  		high
                  librari-night.sbs
                  		unknown
                  		unknownfalse
                    		high
                    owner-vacat10n.sbs
                    		unknown
                    		unknownfalse
                      		high
                      p10tgrace.sbs
                      		unknown
                      		unknownfalse
                        		high
                        befall-sm0ker.sbs
                        		unknown
                        		unknownfalse
                          		high
                          3xp3cts1aim.sbs
                          		unknown
                          		unknownfalse
                            		high
                            p3ar11fter.sbs
                            		unknown
                            		unknownfalse
                              		high
                              push-hook.cyou
                              		unknown
                              		unknownfalse
                                		high
                                peepburry828.sbs
                                		unknown
                                		unknownfalse
                                  		high
                                  processhol.sbs
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    librari-night.sbsfalse
                                      		high
                                      peepburry828.sbsfalse
                                        		high
                                        owner-vacat10n.sbsfalse
                                          		high
                                          p10tgrace.sbsfalse
                                            		high
                                            processhol.sbsfalse
                                              		high
                                              https://steamcommunity.com/profiles/76561199724331900false
                                                		high
                                                befall-sm0ker.sbsfalse
                                                  		high
                                                  push-hook.cyoutrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  p3ar11fter.sbsfalse
                                                    		high
                                                    https://lev-tolstoi.com/apifalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://steamcommunity.com/my/wishlist/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DWaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#aqbjn3fl.exefalse
                                                              		high
                                                              https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0aqbjn3fl.exefalse
                                                                  		high
                                                                  http://ocsp.sectigo.com0aqbjn3fl.exefalse
                                                                    		high
                                                                    https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://steamcommunity.com/?subsection=broadcastsaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://help.steampowered.com/en/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://steamcommunity.com/market/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://store.steampowered.com/news/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.coaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://store.steampowered.com/subscriber_agreement/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.gstatic.cn/recaptcha/aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://store.steampowered.com/subscriber_agreement/aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#aqbjn3fl.exefalse
                                                                                      		high
                                                                                      https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgaqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://recaptcha.net/recaptcha/;aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.valvesoftware.com/legal.htmaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://steamcommunity.com/discussions/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0aqbjn3fl.exefalse
                                                                                                  		high
                                                                                                  https://store.steampowered.com/stats/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://medal.tvaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://store.steampowered.com/steam_refunds/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=eaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://community.fastly.staqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=eaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://steamcommunity.com/workshop/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxxaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_caqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://store.steampowered.com/legal/aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#aqbjn3fl.exefalse
                                                                                                                                                		high
                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://sectigo.com/CPS0aqbjn3fl.exefalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&aaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=englaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://lev-tolstoi.com/aqbjn3fl.exe, 00000003.00000003.1592122314.00000000036CC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1593458632.00000000036CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://store.steampowered.com/privacy_agreement/aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://lev-tolstoi.com/2aqbjn3fl.exe, 00000003.00000003.1592122314.00000000036CC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1593458632.00000000036CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://store.steampowered.com/points/shop/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#aqbjn3fl.exefalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://recaptcha.netaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://store.steampowered.com/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://steamcommunity.com/profiles/76561199724331900/inventory/aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://store.steampowered.com/privacy_agreement/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://community.fastHaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://community.fastly.steamstatic.aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifaqbjn3fl.exe, 00000003.00000003.1591874242.000000000361C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000361C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.fastly.steamstaKaqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yaqbjn3fl.exefalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zaqbjn3fl.exefalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://www.google.com/recaptcha/aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://api.steampowered.com/aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://store.steampowered.com/account/cookiepreferences/aqbjn3fl.exe, 00000003.00000003.1591832404.00000000036DB000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://store.steampowered.com/mobileaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://steamcommunity.com/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://lev-tolstoi.com/piaqbjn3fl.exe, 00000003.00000003.1592122314.00000000036CC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1593458632.00000000036CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://store.steampowered.com/;aqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://store.steampowered.com/about/aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&laqbjn3fl.exe, 00000003.00000003.1591874242.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.1592600392.000000000367D000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://steamcommunity.com/profiles/76561199724331900/badgesaqbjn3fl.exe, 00000003.00000003.1582097935.00000000036D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  172.67.157.254
                                                                                                                                                                                                                  		lev-tolstoi.comUnited States
                                                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                  23.55.153.106
                                                                                                                                                                                                                  		steamcommunity.comUnited States
                                                                                                                                                                                                                  		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                  Analysis ID:1577502
                                                                                                                                                                                                                  Start date and time:2024-12-18 14:28:56 +01:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 3m 12s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:5
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:aqbjn3fl.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal100.troj.evad.winEXE@4/0@11/2
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 73%
                                                                                                                                                                                                                  • Number of executed functions: 21
                                                                                                                                                                                                                  • Number of non-executed functions: 108
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com
                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • VT rate limit hit for: aqbjn3fl.exe

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  08:30:02API Interceptor9x Sleep call for process: aqbjn3fl.exe modified

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  172.67.157.254v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                    random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                        ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                          https://t.co/nq9BYOxCg9Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                            23.55.153.106zq6a1iqg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                              v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                      alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                        99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                              1fxm3u0d.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                lev-tolstoi.comv_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                steamcommunity.comzq6a1iqg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                AKAMAI-ASN1EUhttp://www.mynylgbs.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 23.195.38.175
                                                                                                                                                                                                                                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                • 96.17.102.118
                                                                                                                                                                                                                                                zq6a1iqg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                CLOUDFLARENETUShttps://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossingGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 162.159.140.147
                                                                                                                                                                                                                                                goldlummaa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.50.161
                                                                                                                                                                                                                                                hnsjdghf18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                                                • 172.65.251.78
                                                                                                                                                                                                                                                ko.ps1.2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 172.64.41.3
                                                                                                                                                                                                                                                kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                                                • 172.65.251.78
                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                                • 104.21.23.76
                                                                                                                                                                                                                                                InstallSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.220.223
                                                                                                                                                                                                                                                Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                • 104.21.67.152
                                                                                                                                                                                                                                                ScreenUpdateSync.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.24.223
                                                                                                                                                                                                                                                random.exe.10.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.23.76

                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1goldlummaa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                InstallSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                ScreenUpdateSync.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                random.exe.10.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                zq6a1iqg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                winrar-x64-701.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                No created / dropped files found

                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                Entropy (8bit):7.693168108127972
                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                File name:aqbjn3fl.exe
                                                                                                                                                                                                                                                File size:586'368 bytes
                                                                                                                                                                                                                                                MD5:34a152eb5d1d3e63dafef23579042933
                                                                                                                                                                                                                                                SHA1:9e1c23718d5b30c13d0cec51ba3484ddc32a3184
                                                                                                                                                                                                                                                SHA256:42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa
                                                                                                                                                                                                                                                SHA512:270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe
                                                                                                                                                                                                                                                SSDEEP:12288:9o3gygylSwAN2kLkhn23c7Abpzq/Dw3imKQJ4nTL35iDBrDEnchQm/71lr7v:i3gygnN2kLktsc7keDHQJqTk9Fr7v
                                                                                                                                                                                                                                                TLSH:D0C4D1125541E8A3F88318FF3DB6A32734A773B2B6B1CAD3C17574685B400C195EAE6E
                                                                                                                                                                                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...<.=g.................V........................@.......................................@.................................T...(..

                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Entrypoint:0x4292e0
                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                Digitally signed:true
                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                Subsystem:windows cui
                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                Time Stamp:0x673DAB3C [Wed Nov 20 09:26:20 2024 UTC]
                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                Import Hash:3a33a82bcd5969a5b19ce5fba049e5b4

                                                                                                                                                                                                                                                Authenticode Signature

                                                                                                                                                                                                                                                Signature Valid:false
                                                                                                                                                                                                                                                Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                                Error Number:-2146869232
                                                                                                                                                                                                                                                Not Before, Not After
                                                                                                                                                                                                                                                • 30/08/2023 20:00:00 30/08/2026 19:59:59
                                                                                                                                                                                                                                                Subject Chain
                                                                                                                                                                                                                                                • CN=Privacy Technologies OU, O=Privacy Technologies OU, S=Harjumaa, C=EE
                                                                                                                                                                                                                                                Version:3
                                                                                                                                                                                                                                                Thumbprint MD5:AD1BCBF19AE2F91BB114D33B85359E56
                                                                                                                                                                                                                                                Thumbprint SHA-1:141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128
                                                                                                                                                                                                                                                Thumbprint SHA-256:A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48
                                                                                                                                                                                                                                                Serial:00D0461B529F67189D43744E9CEFE172AE

                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                call 00007FD1E8927DFBh
                                                                                                                                                                                                                                                jmp 00007FD1E8927A0Dh
                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                call 00007FD1E8927BAFh
                                                                                                                                                                                                                                                neg eax
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                sbb eax, eax
                                                                                                                                                                                                                                                neg eax
                                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                cmp dword ptr [0043E488h], FFFFFFFFh
                                                                                                                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                jne 00007FD1E8927BA9h
                                                                                                                                                                                                                                                call 00007FD1E8929A2Bh
                                                                                                                                                                                                                                                jmp 00007FD1E8927BADh
                                                                                                                                                                                                                                                push 0043E488h
                                                                                                                                                                                                                                                call 00007FD1E89299AEh
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                neg eax
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                sbb eax, eax
                                                                                                                                                                                                                                                not eax
                                                                                                                                                                                                                                                and eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                push 00000008h
                                                                                                                                                                                                                                                push 0043C8E0h
                                                                                                                                                                                                                                                call 00007FD1E892811Dh
                                                                                                                                                                                                                                                and dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                                                                                mov eax, 00005A4Dh
                                                                                                                                                                                                                                                cmp word ptr [00400000h], ax
                                                                                                                                                                                                                                                jne 00007FD1E8927BFFh
                                                                                                                                                                                                                                                mov eax, dword ptr [0040003Ch]
                                                                                                                                                                                                                                                cmp dword ptr [eax+00400000h], 00004550h
                                                                                                                                                                                                                                                jne 00007FD1E8927BEEh
                                                                                                                                                                                                                                                mov ecx, 0000010Bh
                                                                                                                                                                                                                                                cmp word ptr [eax+00400018h], cx
                                                                                                                                                                                                                                                jne 00007FD1E8927BE0h
                                                                                                                                                                                                                                                mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                mov ecx, 00400000h
                                                                                                                                                                                                                                                sub eax, ecx
                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                call 00007FD1E8927D22h
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                                je 00007FD1E8927BC9h
                                                                                                                                                                                                                                                cmp dword ptr [eax+24h], 00000000h
                                                                                                                                                                                                                                                jl 00007FD1E8927BC3h
                                                                                                                                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                                                                mov al, 01h
                                                                                                                                                                                                                                                jmp 00007FD1E8927BC1h
                                                                                                                                                                                                                                                mov eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                                                                                                                xor ecx, ecx
                                                                                                                                                                                                                                                cmp dword ptr [eax], C0000005h
                                                                                                                                                                                                                                                sete cl
                                                                                                                                                                                                                                                mov eax, ecx
                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                mov esp, dword ptr [ebp-18h]

                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3c0540x28.rdata
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x8c4000x2e80.bOS
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x400000x2604.reloc
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x371600xc0.rdata
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x3c1980x11c.rdata
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                .text0x10000x3546c0x35600f5361c54b25e15a938b45ad5e6bff8aaFalse0.49542136270491804data6.95731113161578IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .rdata0x370000x5e440x6000fd3796618028fe8f9db0ee4940ae629cFalse0.4084879557291667data4.760062424903548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .data0x3d0000x1ba40x1000ff4f8fd6963b4f7d1c08f13031fa0788False0.470703125OpenPGP Secret Key4.849894766585126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                .00cfg0x3f0000x80x2000412284a8fbf9e5e622314b9d7d68a8fFalse0.03125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .reloc0x400000x26040x2800ea75b8bb4d2e2cb7f98c9cf7a2c3e9f3False0.78046875data6.61872461528721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .bOS0x430000x4ce000x4ce0076f523d6798942655c73d5441edae6bfFalse1.0003366361788617data7.999557020865279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                KERNEL32.dllCloseHandle, CompareStringW, CreateFileA, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile

                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                2024-12-18T14:30:03.003968+01002057838ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (push-hook .cyou)1192.168.2.8637921.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:03.233194+01002057668ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs)1192.168.2.8543071.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:03.233194+01002057697ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs)1192.168.2.8543071.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:03.465654+01002057658ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs)1192.168.2.8616921.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:03.700559+01002057654ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs)1192.168.2.8586891.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:03.938536+01002057662ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs)1192.168.2.8529111.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:04.168631+01002057666ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs)1192.168.2.8592321.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:04.168631+01002057696ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs)1192.168.2.8592321.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:04.490999+01002057660ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs)1192.168.2.8511821.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:04.831379+01002057652ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs)1192.168.2.8524241.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:04.831379+01002057695ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs)1192.168.2.8524241.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:05.063325+01002057664ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p3ar11fter .sbs)1192.168.2.8577871.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:05.063325+01002057698ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs)1192.168.2.8577871.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T14:30:06.857533+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.84971023.55.153.106443TCP
                                                                                                                                                                                                                                                2024-12-18T14:30:07.638934+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.84971023.55.153.106443TCP
                                                                                                                                                                                                                                                2024-12-18T14:30:09.406227+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849711172.67.157.254443TCP
                                                                                                                                                                                                                                                2024-12-18T14:30:10.009979+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849711172.67.157.254443TCP
                                                                                                                                                                                                                                                2024-12-18T14:30:10.009979+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849711172.67.157.254443TCP
                                                                                                                                                                                                                                                2024-12-18T14:30:10.981632+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849712172.67.157.254443TCP

                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.444468021 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.444519997 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.444603920 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.447577000 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.447594881 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.857470036 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.857532978 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.862205982 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.862221003 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.862513065 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.903266907 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.916066885 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:06.959342957 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.638981104 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639008999 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639034986 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639046907 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639065027 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639075994 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639108896 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639130116 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.639161110 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.815198898 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.815238953 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.815274954 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.815295935 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.815332890 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.853214025 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.853255033 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.853291035 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.853302956 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.853351116 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.855865955 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.855885029 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.855914116 CET49710443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.855920076 CET4434971023.55.153.106192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.186335087 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.186374903 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.186465025 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.186856985 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.186866999 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.406110048 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.406227112 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.409347057 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.409358025 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.409626007 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.410738945 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.410770893 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:09.410815001 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.009980917 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.010077953 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.010142088 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.010313988 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.010332108 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.010343075 CET49711443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.010354042 CET44349711172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.068115950 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.068164110 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.068227053 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.068681002 CET49712443192.168.2.8172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.068696022 CET44349712172.67.157.254192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:10.981631994 CET49712443192.168.2.8172.67.157.254

                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.003968000 CET6379253192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.224384069 CET53637921.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.233194113 CET5430753192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.462553024 CET53543071.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.465653896 CET6169253192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.697175026 CET53616921.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.700558901 CET5868953192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.936733007 CET53586891.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.938535929 CET5291153192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.164748907 CET53529111.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.168631077 CET5923253192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.481755018 CET53592321.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.490998983 CET5118253192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.716860056 CET53511821.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.831378937 CET5242453192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.059451103 CET53524241.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.063324928 CET5778753192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.286096096 CET53577871.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.299772978 CET6552853192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.438880920 CET53655281.1.1.1192.168.2.8
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.859019041 CET5019853192.168.2.81.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.185189009 CET53501981.1.1.1192.168.2.8

                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.003968000 CET192.168.2.81.1.1.10x2a5Standard query (0)push-hook.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.233194113 CET192.168.2.81.1.1.10x4608Standard query (0)processhol.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.465653896 CET192.168.2.81.1.1.10xb074Standard query (0)librari-night.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.700558901 CET192.168.2.81.1.1.10x5122Standard query (0)befall-sm0ker.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.938535929 CET192.168.2.81.1.1.10xbe6cStandard query (0)p10tgrace.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.168631077 CET192.168.2.81.1.1.10x1a60Standard query (0)peepburry828.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.490998983 CET192.168.2.81.1.1.10x8bdaStandard query (0)owner-vacat10n.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.831378937 CET192.168.2.81.1.1.10x8017Standard query (0)3xp3cts1aim.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.063324928 CET192.168.2.81.1.1.10xd8e1Standard query (0)p3ar11fter.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.299772978 CET192.168.2.81.1.1.10xf7bbStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:07.859019041 CET192.168.2.81.1.1.10xe41Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.224384069 CET1.1.1.1192.168.2.80x2a5Name error (3)push-hook.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.462553024 CET1.1.1.1192.168.2.80x4608Name error (3)processhol.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.697175026 CET1.1.1.1192.168.2.80xb074Name error (3)librari-night.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:03.936733007 CET1.1.1.1192.168.2.80x5122Name error (3)befall-sm0ker.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.164748907 CET1.1.1.1192.168.2.80xbe6cName error (3)p10tgrace.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.481755018 CET1.1.1.1192.168.2.80x1a60Name error (3)peepburry828.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:04.716860056 CET1.1.1.1192.168.2.80x8bdaName error (3)owner-vacat10n.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.059451103 CET1.1.1.1192.168.2.80x8017Name error (3)3xp3cts1aim.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.286096096 CET1.1.1.1192.168.2.80xd8e1Name error (3)p3ar11fter.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:05.438880920 CET1.1.1.1192.168.2.80xf7bbNo error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.185189009 CET1.1.1.1192.168.2.80xe41No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 14:30:08.185189009 CET1.1.1.1192.168.2.80xe41No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                • steamcommunity.com
                                                                                                                                                                                                                                                • lev-tolstoi.com

                                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                0192.168.2.84971023.55.153.1064434260C:\Users\user\Desktop\aqbjn3fl.exe
                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                2024-12-18 13:30:06 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                Host: steamcommunity.com
                                                                                                                                                                                                                                                2024-12-18 13:30:07 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                Date: Wed, 18 Dec 2024 13:30:07 GMT
                                                                                                                                                                                                                                                Content-Length: 35121
                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                Set-Cookie: sessionid=f40553fc613f06009559ae1e; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                2024-12-18 13:30:07 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                2024-12-18 13:30:07 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                2024-12-18 13:30:07 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                1192.168.2.849711172.67.157.2544434260C:\Users\user\Desktop\aqbjn3fl.exe
                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                2024-12-18 13:30:09 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                2024-12-18 13:30:09 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                                                                                                2024-12-18 13:30:10 UTC1030INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                Date: Wed, 18 Dec 2024 13:30:09 GMT
                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=7g5hgsb1usbt5qhg965mmjkr2o; expires=Sun, 13-Apr-2025 07:16:48 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NCQJFyHXMmnpzZ48gSho6DS%2FRGxLbXlRgkaHp3azNtqDZQhOyP2CCNYAjpJUVsjGX89hWvwEzKqNAEHeV38jWvJgvXGnkvNybnDvmRwPW4e627dwHUUpkLmyTtcRB1NSbUM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                CF-RAY: 8f3f81827eea1a34-EWR
                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1945&min_rtt=1937&rtt_var=743&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1455633&cwnd=185&unsent_bytes=0&cid=dacabc69ef469979&ts=616&x=0"
                                                                                                                                                                                                                                                2024-12-18 13:30:10 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                                                                                                                2024-12-18 13:30:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                Start time:08:29:59
                                                                                                                                                                                                                                                Start date:18/12/2024
                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\aqbjn3fl.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\aqbjn3fl.exe"
                                                                                                                                                                                                                                                Imagebase:0x9b0000
                                                                                                                                                                                                                                                File size:586'368 bytes
                                                                                                                                                                                                                                                MD5 hash:34A152EB5D1D3E63DAFEF23579042933
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1511669502.0000000002BBA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                                Start time:08:29:59
                                                                                                                                                                                                                                                Start date:18/12/2024
                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                Start time:08:30:02
                                                                                                                                                                                                                                                Start date:18/12/2024
                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\aqbjn3fl.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\aqbjn3fl.exe"
                                                                                                                                                                                                                                                Imagebase:0x9b0000
                                                                                                                                                                                                                                                File size:586'368 bytes
                                                                                                                                                                                                                                                MD5 hash:34A152EB5D1D3E63DAFEF23579042933
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                  Execution Coverage:2.1%
                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0.7%
                                                                                                                                                                                                                                                  Signature Coverage:3.3%
                                                                                                                                                                                                                                                  Total number of Nodes:1143
                                                                                                                                                                                                                                                  Total number of Limit Nodes:17
                                                                                                                                                                                                                                                  execution_graph 16116 9dbc94 16119 9ddc6b 16116->16119 16120 9ddc76 RtlFreeHeap 16119->16120 16121 9dbcac 16119->16121 16120->16121 16122 9ddc8b GetLastError 16120->16122 16123 9ddc98 __dosmaperr 16122->16123 16125 9de43c 16123->16125 16128 9dccfb GetLastError 16125->16128 16127 9de441 16127->16121 16129 9dcd17 16128->16129 16130 9dcd11 16128->16130 16134 9dcd1b SetLastError 16129->16134 16156 9dc75f 16129->16156 16151 9dc720 16130->16151 16134->16127 16138 9dcd61 16141 9dc75f __strnicoll 6 API calls 16138->16141 16139 9dcd50 16140 9dc75f __strnicoll 6 API calls 16139->16140 16149 9dcd5e 16140->16149 16142 9dcd6d 16141->16142 16143 9dcd88 16142->16143 16144 9dcd71 16142->16144 16168 9dcebc 16143->16168 16146 9dc75f __strnicoll 6 API calls 16144->16146 16146->16149 16147 9ddc6b __freea 12 API calls 16147->16134 16149->16147 16150 9ddc6b __freea 12 API calls 16150->16134 16173 9dc985 16151->16173 16154 9dc745 16154->16129 16155 9dc757 TlsGetValue 16157 9dc985 __strnicoll 5 API calls 16156->16157 16158 9dc77b 16157->16158 16159 9dc799 TlsSetValue 16158->16159 16160 9dc784 16158->16160 16160->16134 16161 9deb5e 16160->16161 16167 9deb6b __strnicoll 16161->16167 16162 9deb96 HeapAlloc 16165 9dcd48 16162->16165 16162->16167 16163 9debab 16164 9de43c __strnicoll 13 API calls 16163->16164 16164->16165 16165->16138 16165->16139 16167->16162 16167->16163 16188 9dabf8 16167->16188 16202 9dd022 16168->16202 16174 9dc9b5 16173->16174 16177 9dc73c 16173->16177 16174->16177 16180 9dc8ba 16174->16180 16177->16154 16177->16155 16178 9dc9cf GetProcAddress 16178->16177 16179 9dc9df __strnicoll 16178->16179 16179->16177 16186 9dc8cb ___vcrt_FlsGetValue 16180->16186 16181 9dc961 16181->16177 16181->16178 16182 9dc8e9 LoadLibraryExW 16183 9dc968 16182->16183 16184 9dc904 GetLastError 16182->16184 16183->16181 16185 9dc97a FreeLibrary 16183->16185 16184->16186 16185->16181 16186->16181 16186->16182 16187 9dc937 LoadLibraryExW 16186->16187 16187->16183 16187->16186 16191 9dac33 16188->16191 16192 9dac3f ___scrt_is_nonwritable_in_current_image 16191->16192 16197 9dcb01 EnterCriticalSection 16192->16197 16194 9dac4a CallUnexpected 16198 9dac81 16194->16198 16197->16194 16201 9dcb18 LeaveCriticalSection 16198->16201 16200 9dac03 16200->16167 16201->16200 16203 9dd02e ___scrt_is_nonwritable_in_current_image 16202->16203 16216 9dcb01 EnterCriticalSection 16203->16216 16205 9dd038 16217 9dd068 16205->16217 16208 9dd074 16209 9dd080 ___scrt_is_nonwritable_in_current_image 16208->16209 16221 9dcb01 EnterCriticalSection 16209->16221 16211 9dd08a 16222 9dce71 16211->16222 16213 9dd0a2 16226 9dd0c2 16213->16226 16216->16205 16220 9dcb18 LeaveCriticalSection 16217->16220 16219 9dcf2a 16219->16208 16220->16219 16221->16211 16223 9dcea7 __strnicoll 16222->16223 16224 9dce80 __strnicoll 16222->16224 16223->16213 16224->16223 16229 9def24 16224->16229 16343 9dcb18 LeaveCriticalSection 16226->16343 16228 9dcd93 16228->16150 16230 9defa4 16229->16230 16233 9def3a 16229->16233 16231 9deff2 16230->16231 16234 9ddc6b __freea 14 API calls 16230->16234 16297 9df0be 16231->16297 16233->16230 16235 9def6d 16233->16235 16241 9ddc6b __freea 14 API calls 16233->16241 16236 9defc6 16234->16236 16237 9def8f 16235->16237 16243 9ddc6b __freea 14 API calls 16235->16243 16238 9ddc6b __freea 14 API calls 16236->16238 16240 9ddc6b __freea 14 API calls 16237->16240 16242 9defd9 16238->16242 16239 9df000 16246 9df060 16239->16246 16256 9ddc6b 14 API calls __freea 16239->16256 16245 9def99 16240->16245 16247 9def62 16241->16247 16244 9ddc6b __freea 14 API calls 16242->16244 16248 9def84 16243->16248 16249 9defe7 16244->16249 16250 9ddc6b __freea 14 API calls 16245->16250 16251 9ddc6b __freea 14 API calls 16246->16251 16257 9de8ee 16247->16257 16285 9de9ec 16248->16285 16254 9ddc6b __freea 14 API calls 16249->16254 16250->16230 16255 9df066 16251->16255 16254->16231 16255->16223 16256->16239 16258 9de8ff 16257->16258 16284 9de9e8 16257->16284 16259 9de910 16258->16259 16260 9ddc6b __freea 14 API calls 16258->16260 16261 9de922 16259->16261 16262 9ddc6b __freea 14 API calls 16259->16262 16260->16259 16263 9de934 16261->16263 16264 9ddc6b __freea 14 API calls 16261->16264 16262->16261 16265 9ddc6b __freea 14 API calls 16263->16265 16268 9de946 16263->16268 16264->16263 16265->16268 16266 9ddc6b __freea 14 API calls 16267 9de958 16266->16267 16269 9ddc6b __freea 14 API calls 16267->16269 16271 9de96a 16267->16271 16268->16266 16268->16267 16269->16271 16270 9de97c 16273 9de98e 16270->16273 16274 9ddc6b __freea 14 API calls 16270->16274 16271->16270 16272 9ddc6b __freea 14 API calls 16271->16272 16272->16270 16275 9de9a0 16273->16275 16276 9ddc6b __freea 14 API calls 16273->16276 16274->16273 16277 9de9b2 16275->16277 16278 9ddc6b __freea 14 API calls 16275->16278 16276->16275 16279 9de9c4 16277->16279 16280 9ddc6b __freea 14 API calls 16277->16280 16278->16277 16281 9de9d6 16279->16281 16282 9ddc6b __freea 14 API calls 16279->16282 16280->16279 16283 9ddc6b __freea 14 API calls 16281->16283 16281->16284 16282->16281 16283->16284 16284->16235 16286 9de9f9 16285->16286 16296 9dea51 16285->16296 16287 9dea09 16286->16287 16288 9ddc6b __freea 14 API calls 16286->16288 16289 9dea1b 16287->16289 16290 9ddc6b __freea 14 API calls 16287->16290 16288->16287 16291 9dea2d 16289->16291 16292 9ddc6b __freea 14 API calls 16289->16292 16290->16289 16293 9ddc6b __freea 14 API calls 16291->16293 16294 9dea3f 16291->16294 16292->16291 16293->16294 16295 9ddc6b __freea 14 API calls 16294->16295 16294->16296 16295->16296 16296->16237 16298 9df0ea 16297->16298 16299 9df0cb 16297->16299 16298->16239 16299->16298 16303 9dea55 16299->16303 16302 9ddc6b __freea 14 API calls 16302->16298 16304 9deb33 16303->16304 16305 9dea66 16303->16305 16304->16302 16339 9deb39 16305->16339 16308 9deb39 __strnicoll 14 API calls 16309 9dea79 16308->16309 16310 9deb39 __strnicoll 14 API calls 16309->16310 16311 9dea84 16310->16311 16312 9deb39 __strnicoll 14 API calls 16311->16312 16313 9dea8f 16312->16313 16314 9deb39 __strnicoll 14 API calls 16313->16314 16315 9dea9d 16314->16315 16316 9ddc6b __freea 14 API calls 16315->16316 16317 9deaa8 16316->16317 16318 9ddc6b __freea 14 API calls 16317->16318 16319 9deab3 16318->16319 16320 9ddc6b __freea 14 API calls 16319->16320 16321 9deabe 16320->16321 16322 9deb39 __strnicoll 14 API calls 16321->16322 16323 9deacc 16322->16323 16324 9deb39 __strnicoll 14 API calls 16323->16324 16325 9deada 16324->16325 16326 9deb39 __strnicoll 14 API calls 16325->16326 16327 9deaeb 16326->16327 16328 9deb39 __strnicoll 14 API calls 16327->16328 16329 9deaf9 16328->16329 16330 9deb39 __strnicoll 14 API calls 16329->16330 16331 9deb07 16330->16331 16332 9ddc6b __freea 14 API calls 16331->16332 16333 9deb12 16332->16333 16334 9ddc6b __freea 14 API calls 16333->16334 16335 9deb1d 16334->16335 16336 9ddc6b __freea 14 API calls 16335->16336 16337 9deb28 16336->16337 16338 9ddc6b __freea 14 API calls 16337->16338 16338->16304 16340 9deb4b 16339->16340 16341 9dea6e 16340->16341 16342 9ddc6b __freea 14 API calls 16340->16342 16341->16308 16342->16340 16343->16228 16108 9ed18d 16112 9ed1c3 16108->16112 16109 9ed310 GetPEB 16110 9ed322 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 16109->16110 16111 9ed3c9 WriteProcessMemory 16110->16111 16110->16112 16113 9ed40e 16111->16113 16112->16109 16112->16110 16114 9ed413 WriteProcessMemory 16113->16114 16115 9ed450 WriteProcessMemory Wow64SetThreadContext ResumeThread 16113->16115 16114->16113 16344 9ba0b0 16345 9ba0f0 16344->16345 16346 9ba14c ExitProcess 16345->16346 16347 9ba126 ExitProcess 16345->16347 16350 9bb0e4 ReadFile 16351 9ba1f0 16350->16351 18944 9cc303 18945 9cc30e 18944->18945 18946 9cc7a8 18944->18946 18948 9cd4c0 5 API calls 18945->18948 18957 9cc127 18945->18957 18947 9cc7d4 18946->18947 18949 9cc7be 18946->18949 18950 9cd483 18946->18950 18947->18957 18964 9d7860 18947->18964 18948->18957 18951 9cd4c0 5 API calls 18949->18951 18953 9cd4a0 18950->18953 18950->18957 18968 9cdd20 18950->18968 18952 9cc7c5 18951->18952 18960 9cf360 18952->18960 18958 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18953->18958 18959 9cd4aa 18958->18959 18963 9cf3cf 18960->18963 18961 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18962 9d1324 18961->18962 18962->18947 18963->18961 18967 9d78b0 CatchIt 18964->18967 18965 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18966 9d8721 18965->18966 18966->18957 18967->18965 18969 9cdda2 18968->18969 18972 9d8e61 18969->18972 18971 9cde84 18979 9d8edd 18972->18979 18975 9d9ad5 CallUnexpected RaiseException 18976 9d8e80 18975->18976 18977 9d4910 std::_Xinvalid_argument 40 API calls 18976->18977 18978 9d8e9e 18977->18978 18978->18971 18982 9d8dff 18979->18982 18985 9d9d1d 18982->18985 18986 9d9d2a 18985->18986 18992 9d8e2b 18985->18992 18986->18992 18993 9dbcaf 18986->18993 18989 9d9d57 18991 9dbc94 ___std_exception_destroy 14 API calls 18989->18991 18990 9dc20c ___std_exception_copy 39 API calls 18990->18989 18991->18992 18992->18975 18998 9debbb __strnicoll 18993->18998 18994 9debf9 18995 9de43c __strnicoll 14 API calls 18994->18995 18997 9d9d47 18995->18997 18996 9debe4 RtlAllocateHeap 18996->18997 18996->18998 18997->18989 18997->18990 18998->18994 18998->18996 18999 9dabf8 __strnicoll 2 API calls 18998->18999 18999->18998 16352 9d9152 16353 9d915e ___scrt_is_nonwritable_in_current_image 16352->16353 16378 9d940f 16353->16378 16355 9d92be 16415 9d96cf IsProcessorFeaturePresent 16355->16415 16357 9d9165 16357->16355 16366 9d918f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 16357->16366 16358 9d92c5 16419 9da8c6 16358->16419 16363 9d91ae 16364 9d922f 16389 9db446 16364->16389 16366->16363 16366->16364 16393 9da910 16366->16393 16368 9d9235 16400 9c3290 16368->16400 16373 9d925a 16374 9d9263 16373->16374 16406 9da8f2 16373->16406 16409 9d9448 16374->16409 16379 9d9418 16378->16379 16425 9d98f5 IsProcessorFeaturePresent 16379->16425 16383 9d9429 16388 9d942d 16383->16388 16435 9da790 16383->16435 16386 9d9444 16386->16357 16388->16357 16390 9db44f 16389->16390 16391 9db454 16389->16391 16507 9db56f 16390->16507 16391->16368 16394 9dbd4b ___scrt_is_nonwritable_in_current_image 16393->16394 16395 9da926 __strnicoll 16393->16395 16396 9dcbaa _unexpected 39 API calls 16394->16396 16395->16364 16399 9dbd5c 16396->16399 16397 9dc0be CallUnexpected 39 API calls 16398 9dbd86 16397->16398 16399->16397 16401 9c32e0 16400->16401 16402 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 16401->16402 16403 9c344b 16402->16403 16404 9d967c GetModuleHandleW 16403->16404 16405 9d9256 16404->16405 16405->16358 16405->16373 17233 9daa11 16406->17233 16410 9d9454 16409->16410 16414 9d926c 16410->16414 17304 9da7a2 16410->17304 16412 9d9462 16413 9d9dfa ___scrt_uninitialize_crt 7 API calls 16412->16413 16413->16414 16414->16363 16416 9d96e5 CallUnexpected 16415->16416 16417 9d9790 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16416->16417 16418 9d97db CallUnexpected 16417->16418 16418->16358 16420 9daa11 CallUnexpected 21 API calls 16419->16420 16421 9d92cb 16420->16421 16422 9da8dc 16421->16422 16423 9daa11 CallUnexpected 21 API calls 16422->16423 16424 9d92d3 16423->16424 16426 9d9424 16425->16426 16427 9d9ddb 16426->16427 16444 9dc266 16427->16444 16430 9d9de4 16430->16383 16432 9d9dec 16433 9d9df7 16432->16433 16458 9dc2a2 16432->16458 16433->16383 16498 9ddca5 16435->16498 16438 9d9dfa 16439 9d9e0d 16438->16439 16440 9d9e03 16438->16440 16439->16388 16441 9dc135 ___vcrt_uninitialize_ptd 6 API calls 16440->16441 16442 9d9e08 16441->16442 16443 9dc2a2 ___vcrt_uninitialize_locks DeleteCriticalSection 16442->16443 16443->16439 16445 9dc26f 16444->16445 16447 9dc298 16445->16447 16449 9d9de0 16445->16449 16462 9e0bfb 16445->16462 16448 9dc2a2 ___vcrt_uninitialize_locks DeleteCriticalSection 16447->16448 16448->16449 16449->16430 16450 9dc102 16449->16450 16479 9e0b0c 16450->16479 16453 9dc117 16453->16432 16456 9dc132 16456->16432 16459 9dc2cc 16458->16459 16460 9dc2ad 16458->16460 16459->16430 16461 9dc2b7 DeleteCriticalSection 16460->16461 16461->16459 16461->16461 16467 9e0c8d 16462->16467 16465 9e0c33 InitializeCriticalSectionAndSpinCount 16466 9e0c1e 16465->16466 16466->16445 16468 9e0c15 16467->16468 16471 9e0cae 16467->16471 16468->16465 16468->16466 16469 9e0d16 GetProcAddress 16469->16468 16471->16468 16471->16469 16472 9e0d07 16471->16472 16474 9e0c42 LoadLibraryExW 16471->16474 16472->16469 16473 9e0d0f FreeLibrary 16472->16473 16473->16469 16475 9e0c89 16474->16475 16476 9e0c59 GetLastError 16474->16476 16475->16471 16476->16475 16477 9e0c64 ___vcrt_FlsGetValue 16476->16477 16477->16475 16478 9e0c7a LoadLibraryExW 16477->16478 16478->16471 16480 9e0c8d ___vcrt_FlsGetValue 5 API calls 16479->16480 16481 9e0b26 16480->16481 16482 9e0b3f TlsAlloc 16481->16482 16483 9dc10c 16481->16483 16483->16453 16484 9e0bbd 16483->16484 16485 9e0c8d ___vcrt_FlsGetValue 5 API calls 16484->16485 16486 9e0bd7 16485->16486 16487 9e0bf2 TlsSetValue 16486->16487 16488 9dc125 16486->16488 16487->16488 16488->16456 16489 9dc135 16488->16489 16490 9dc13f 16489->16490 16492 9dc145 16489->16492 16493 9e0b47 16490->16493 16492->16453 16494 9e0c8d ___vcrt_FlsGetValue 5 API calls 16493->16494 16495 9e0b61 16494->16495 16496 9e0b6d 16495->16496 16497 9e0b79 TlsFree 16495->16497 16496->16492 16497->16496 16499 9ddcb5 16498->16499 16500 9d9436 16498->16500 16499->16500 16502 9dd2d2 16499->16502 16500->16386 16500->16438 16503 9dd2d9 16502->16503 16504 9dd31c GetStdHandle 16503->16504 16505 9dd37e 16503->16505 16506 9dd32f GetFileType 16503->16506 16504->16503 16505->16499 16506->16503 16508 9db578 16507->16508 16512 9db58e 16507->16512 16508->16512 16513 9db4b0 16508->16513 16510 9db585 16510->16512 16530 9db67d 16510->16530 16512->16391 16514 9db4bc 16513->16514 16515 9db4b9 16513->16515 16539 9dd420 16514->16539 16515->16510 16520 9db4cd 16522 9ddc6b __freea 14 API calls 16520->16522 16521 9db4d9 16566 9db59b 16521->16566 16524 9db4d3 16522->16524 16524->16510 16526 9ddc6b __freea 14 API calls 16527 9db4fd 16526->16527 16528 9ddc6b __freea 14 API calls 16527->16528 16529 9db503 16528->16529 16529->16510 16531 9db68c 16530->16531 16532 9db6ee 16530->16532 16531->16532 16533 9deb5e __strnicoll 14 API calls 16531->16533 16534 9db6f2 16531->16534 16535 9e012e WideCharToMultiByte ___scrt_uninitialize_crt 16531->16535 16538 9ddc6b __freea 14 API calls 16531->16538 16952 9e0301 16531->16952 16532->16512 16533->16531 16536 9ddc6b __freea 14 API calls 16534->16536 16535->16531 16536->16532 16538->16531 16540 9dd429 16539->16540 16544 9db4c2 16539->16544 16588 9dcc65 16540->16588 16545 9e022a GetEnvironmentStringsW 16544->16545 16546 9e0242 16545->16546 16559 9db4c7 16545->16559 16547 9e012e ___scrt_uninitialize_crt WideCharToMultiByte 16546->16547 16548 9e025f 16547->16548 16549 9e0269 FreeEnvironmentStringsW 16548->16549 16550 9e0274 16548->16550 16549->16559 16551 9debbb __strnicoll 15 API calls 16550->16551 16552 9e027b 16551->16552 16553 9e0294 16552->16553 16554 9e0283 16552->16554 16556 9e012e ___scrt_uninitialize_crt WideCharToMultiByte 16553->16556 16555 9ddc6b __freea 14 API calls 16554->16555 16557 9e0288 FreeEnvironmentStringsW 16555->16557 16558 9e02a4 16556->16558 16557->16559 16560 9e02ab 16558->16560 16561 9e02b3 16558->16561 16559->16520 16559->16521 16563 9ddc6b __freea 14 API calls 16560->16563 16562 9ddc6b __freea 14 API calls 16561->16562 16564 9e02b1 FreeEnvironmentStringsW 16562->16564 16563->16564 16564->16559 16567 9db5b0 16566->16567 16568 9deb5e __strnicoll 14 API calls 16567->16568 16569 9db5d7 16568->16569 16570 9db5df 16569->16570 16579 9db5e9 16569->16579 16571 9ddc6b __freea 14 API calls 16570->16571 16587 9db4e0 16571->16587 16572 9db646 16573 9ddc6b __freea 14 API calls 16572->16573 16573->16587 16574 9deb5e __strnicoll 14 API calls 16574->16579 16575 9db655 16942 9db540 16575->16942 16579->16572 16579->16574 16579->16575 16581 9db670 16579->16581 16583 9ddc6b __freea 14 API calls 16579->16583 16933 9dc20c 16579->16933 16580 9ddc6b __freea 14 API calls 16582 9db662 16580->16582 16948 9db786 IsProcessorFeaturePresent 16581->16948 16585 9ddc6b __freea 14 API calls 16582->16585 16583->16579 16585->16587 16586 9db67c 16587->16526 16589 9dcc76 16588->16589 16590 9dcc70 16588->16590 16591 9dc75f __strnicoll 6 API calls 16589->16591 16594 9dcc7c 16589->16594 16592 9dc720 __strnicoll 6 API calls 16590->16592 16593 9dcc90 16591->16593 16592->16589 16593->16594 16595 9dcc94 16593->16595 16596 9dcc81 16594->16596 16638 9dc0be 16594->16638 16597 9deb5e __strnicoll 14 API calls 16595->16597 16616 9dd863 16596->16616 16599 9dcca0 16597->16599 16601 9dccbd 16599->16601 16602 9dcca8 16599->16602 16603 9dc75f __strnicoll 6 API calls 16601->16603 16604 9dc75f __strnicoll 6 API calls 16602->16604 16605 9dccc9 16603->16605 16606 9dccb4 16604->16606 16607 9dcccd 16605->16607 16608 9dccdc 16605->16608 16611 9ddc6b __freea 14 API calls 16606->16611 16609 9dc75f __strnicoll 6 API calls 16607->16609 16610 9dcebc __strnicoll 14 API calls 16608->16610 16609->16606 16612 9dcce7 16610->16612 16613 9dccba 16611->16613 16614 9ddc6b __freea 14 API calls 16612->16614 16613->16594 16615 9dccee 16614->16615 16615->16596 16617 9dd88d 16616->16617 16754 9dd6ef 16617->16754 16620 9dd8a6 16620->16544 16623 9dd8cd 16768 9dd4ea 16623->16768 16624 9dd8bf 16625 9ddc6b __freea 14 API calls 16624->16625 16625->16620 16628 9dd905 16630 9de43c __strnicoll 14 API calls 16628->16630 16629 9dd920 16632 9dd94c 16629->16632 16635 9ddc6b __freea 14 API calls 16629->16635 16631 9dd90a 16630->16631 16634 9ddc6b __freea 14 API calls 16631->16634 16633 9dd995 16632->16633 16779 9ddc1e 16632->16779 16637 9ddc6b __freea 14 API calls 16633->16637 16634->16620 16635->16632 16637->16620 16649 9ddd5c 16638->16649 16642 9dc0d8 IsProcessorFeaturePresent 16644 9dc0e4 16642->16644 16643 9dc0ce 16643->16642 16648 9dc0f7 16643->16648 16679 9db7ba 16644->16679 16645 9da8dc CallUnexpected 21 API calls 16646 9dc101 16645->16646 16648->16645 16685 9ddfdf 16649->16685 16652 9ddd83 16653 9ddd8f ___scrt_is_nonwritable_in_current_image 16652->16653 16654 9dccfb __strnicoll 14 API calls 16653->16654 16655 9ddddf 16653->16655 16657 9dddf1 CallUnexpected 16653->16657 16663 9dddc0 CallUnexpected 16653->16663 16654->16663 16658 9de43c __strnicoll 14 API calls 16655->16658 16656 9dddc9 16656->16643 16660 9dde27 CallUnexpected 16657->16660 16699 9dcb01 EnterCriticalSection 16657->16699 16659 9ddde4 16658->16659 16696 9db759 16659->16696 16665 9dde64 16660->16665 16666 9ddf61 16660->16666 16676 9dde92 16660->16676 16663->16655 16663->16656 16663->16657 16665->16676 16700 9dcbaa GetLastError 16665->16700 16668 9ddf6c 16666->16668 16731 9dcb18 LeaveCriticalSection 16666->16731 16670 9da8dc CallUnexpected 21 API calls 16668->16670 16671 9ddf74 16670->16671 16673 9dcbaa _unexpected 39 API calls 16677 9ddee7 16673->16677 16675 9dcbaa _unexpected 39 API calls 16675->16676 16727 9ddf0d 16676->16727 16677->16656 16678 9dcbaa _unexpected 39 API calls 16677->16678 16678->16656 16680 9db7d6 CallUnexpected 16679->16680 16681 9db802 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16680->16681 16684 9db8d3 CallUnexpected 16681->16684 16682 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 16683 9db8f1 16682->16683 16683->16648 16684->16682 16686 9ddfeb ___scrt_is_nonwritable_in_current_image 16685->16686 16691 9dcb01 EnterCriticalSection 16686->16691 16688 9ddff9 16692 9de03b 16688->16692 16691->16688 16695 9dcb18 LeaveCriticalSection 16692->16695 16694 9dc0c3 16694->16643 16694->16652 16695->16694 16732 9dba8f 16696->16732 16699->16660 16701 9dcbc6 16700->16701 16702 9dcbc0 16700->16702 16704 9dc75f __strnicoll 6 API calls 16701->16704 16706 9dcbca SetLastError 16701->16706 16703 9dc720 __strnicoll 6 API calls 16702->16703 16703->16701 16705 9dcbe2 16704->16705 16705->16706 16708 9deb5e __strnicoll 14 API calls 16705->16708 16710 9dcc5f 16706->16710 16711 9dcc5a 16706->16711 16709 9dcbf7 16708->16709 16713 9dcbff 16709->16713 16714 9dcc10 16709->16714 16712 9dc0be CallUnexpected 37 API calls 16710->16712 16711->16675 16716 9dcc64 16712->16716 16717 9dc75f __strnicoll 6 API calls 16713->16717 16715 9dc75f __strnicoll 6 API calls 16714->16715 16718 9dcc1c 16715->16718 16721 9dcc0d 16717->16721 16719 9dcc37 16718->16719 16720 9dcc20 16718->16720 16724 9dcebc __strnicoll 14 API calls 16719->16724 16722 9dc75f __strnicoll 6 API calls 16720->16722 16723 9ddc6b __freea 14 API calls 16721->16723 16722->16721 16723->16706 16725 9dcc42 16724->16725 16726 9ddc6b __freea 14 API calls 16725->16726 16726->16706 16728 9dded9 16727->16728 16729 9ddf11 16727->16729 16728->16656 16728->16673 16728->16677 16753 9dcb18 LeaveCriticalSection 16729->16753 16731->16668 16733 9dbaa1 __strnicoll 16732->16733 16738 9db902 16733->16738 16739 9db912 16738->16739 16741 9db919 16738->16741 16740 9dba20 __strnicoll 16 API calls 16739->16740 16740->16741 16742 9dba66 __strnicoll GetLastError SetLastError 16741->16742 16745 9db927 16741->16745 16743 9db94e 16742->16743 16744 9db786 __strnicoll 11 API calls 16743->16744 16743->16745 16746 9db97e 16744->16746 16747 9db9c7 16745->16747 16748 9db9d3 16747->16748 16749 9db9ea 16748->16749 16750 9dba03 __strnicoll 39 API calls 16748->16750 16751 9db765 16749->16751 16752 9dba03 __strnicoll 39 API calls 16749->16752 16750->16749 16751->16656 16752->16751 16753->16728 16787 9dd468 16754->16787 16757 9dd710 GetOEMCP 16760 9dd739 16757->16760 16758 9dd722 16759 9dd727 GetACP 16758->16759 16758->16760 16759->16760 16760->16620 16761 9debbb 16760->16761 16762 9debf9 16761->16762 16766 9debc9 __strnicoll 16761->16766 16763 9de43c __strnicoll 14 API calls 16762->16763 16765 9dd8b7 16763->16765 16764 9debe4 RtlAllocateHeap 16764->16765 16764->16766 16765->16623 16765->16624 16766->16762 16766->16764 16767 9dabf8 __strnicoll 2 API calls 16766->16767 16767->16766 16769 9dd6ef 41 API calls 16768->16769 16771 9dd50a 16769->16771 16770 9dd60f 16772 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 16770->16772 16771->16770 16773 9dd547 IsValidCodePage 16771->16773 16774 9dd562 CallUnexpected 16771->16774 16775 9dd6ed 16772->16775 16773->16770 16776 9dd559 16773->16776 16827 9dda79 16774->16827 16775->16628 16775->16629 16776->16774 16777 9dd582 GetCPInfo 16776->16777 16777->16770 16777->16774 16780 9ddc2a ___scrt_is_nonwritable_in_current_image 16779->16780 16907 9dcb01 EnterCriticalSection 16780->16907 16782 9ddc34 16908 9dd9b8 16782->16908 16788 9dd47f 16787->16788 16789 9dd486 16787->16789 16788->16757 16788->16758 16789->16788 16790 9dcbaa _unexpected 39 API calls 16789->16790 16791 9dd4a7 16790->16791 16795 9e0936 16791->16795 16796 9e0949 16795->16796 16797 9dd4bd 16795->16797 16796->16797 16803 9df0ef 16796->16803 16799 9e0963 16797->16799 16800 9e098b 16799->16800 16801 9e0976 16799->16801 16800->16788 16801->16800 16824 9dd403 16801->16824 16804 9df0fb ___scrt_is_nonwritable_in_current_image 16803->16804 16805 9dcbaa _unexpected 39 API calls 16804->16805 16806 9df104 16805->16806 16813 9df14a 16806->16813 16816 9dcb01 EnterCriticalSection 16806->16816 16808 9df122 16817 9df170 16808->16817 16813->16797 16814 9dc0be CallUnexpected 39 API calls 16815 9df16f 16814->16815 16816->16808 16818 9df17e __strnicoll 16817->16818 16820 9df133 16817->16820 16819 9def24 __strnicoll 14 API calls 16818->16819 16818->16820 16819->16820 16821 9df14f 16820->16821 16822 9dcb18 CallUnexpected LeaveCriticalSection 16821->16822 16823 9df146 16822->16823 16823->16813 16823->16814 16825 9dcbaa _unexpected 39 API calls 16824->16825 16826 9dd408 16825->16826 16826->16800 16828 9ddaa1 GetCPInfo 16827->16828 16829 9ddb6a 16827->16829 16828->16829 16834 9ddab9 16828->16834 16830 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 16829->16830 16832 9ddc1c 16830->16832 16832->16770 16838 9dec63 16834->16838 16837 9e0e5f 44 API calls 16837->16829 16839 9dd468 __strnicoll 39 API calls 16838->16839 16840 9dec83 16839->16840 16858 9ded64 16840->16858 16842 9ded3f 16844 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 16842->16844 16843 9ded37 16861 9dec43 16843->16861 16847 9ddb21 16844->16847 16845 9decb0 16845->16842 16845->16843 16846 9debbb __strnicoll 15 API calls 16845->16846 16849 9decd5 CallUnexpected __alloca_probe_16 16845->16849 16846->16849 16853 9e0e5f 16847->16853 16849->16843 16850 9ded64 __strnicoll MultiByteToWideChar 16849->16850 16851 9ded1e 16850->16851 16851->16843 16852 9ded25 GetStringTypeW 16851->16852 16852->16843 16854 9dd468 __strnicoll 39 API calls 16853->16854 16855 9e0e72 16854->16855 16867 9e0ea8 16855->16867 16865 9ded8e 16858->16865 16862 9dec4f 16861->16862 16864 9dec60 16861->16864 16863 9ddc6b __freea 14 API calls 16862->16863 16862->16864 16863->16864 16864->16842 16866 9ded80 MultiByteToWideChar 16865->16866 16866->16845 16868 9e0ec3 __strnicoll 16867->16868 16869 9ded64 __strnicoll MultiByteToWideChar 16868->16869 16873 9e0f07 16869->16873 16870 9e1082 16871 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 16870->16871 16872 9ddb42 16871->16872 16872->16837 16873->16870 16874 9debbb __strnicoll 15 API calls 16873->16874 16876 9e0f2d __alloca_probe_16 16873->16876 16887 9e0fd5 16873->16887 16874->16876 16875 9dec43 __freea 14 API calls 16875->16870 16877 9ded64 __strnicoll MultiByteToWideChar 16876->16877 16876->16887 16878 9e0f76 16877->16878 16878->16887 16895 9dc7ec 16878->16895 16881 9e0fac 16886 9dc7ec 7 API calls 16881->16886 16881->16887 16882 9e0fe4 16883 9e106d 16882->16883 16884 9debbb __strnicoll 15 API calls 16882->16884 16888 9e0ff6 __alloca_probe_16 16882->16888 16885 9dec43 __freea 14 API calls 16883->16885 16884->16888 16885->16887 16886->16887 16887->16875 16888->16883 16889 9dc7ec 7 API calls 16888->16889 16890 9e1039 16889->16890 16890->16883 16904 9e012e 16890->16904 16892 9e1053 16892->16883 16893 9e105c 16892->16893 16894 9dec43 __freea 14 API calls 16893->16894 16894->16887 16896 9dca3e LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 16895->16896 16897 9dc7f7 16896->16897 16898 9dc7fd LCMapStringEx 16897->16898 16899 9dc824 16897->16899 16903 9dc844 16898->16903 16900 9dc849 __strnicoll 5 API calls 16899->16900 16901 9dc83d LCMapStringW 16900->16901 16901->16903 16903->16881 16903->16882 16903->16887 16905 9e0141 ___scrt_uninitialize_crt 16904->16905 16906 9e017f WideCharToMultiByte 16905->16906 16906->16892 16907->16782 16918 9dd382 16908->16918 16910 9dd9da 16911 9dd382 39 API calls 16910->16911 16912 9dd9f9 16911->16912 16913 9ddc6b __freea 14 API calls 16912->16913 16914 9dda20 16912->16914 16913->16914 16915 9ddc5f 16914->16915 16932 9dcb18 LeaveCriticalSection 16915->16932 16917 9ddc4d 16917->16633 16919 9dd393 16918->16919 16928 9dd38f CatchIt 16918->16928 16920 9dd39a 16919->16920 16923 9dd3ad CallUnexpected 16919->16923 16921 9de43c __strnicoll 14 API calls 16920->16921 16922 9dd39f 16921->16922 16924 9db759 __strnicoll 39 API calls 16922->16924 16925 9dd3db 16923->16925 16926 9dd3e4 16923->16926 16923->16928 16924->16928 16927 9de43c __strnicoll 14 API calls 16925->16927 16926->16928 16930 9de43c __strnicoll 14 API calls 16926->16930 16929 9dd3e0 16927->16929 16928->16910 16931 9db759 __strnicoll 39 API calls 16929->16931 16930->16929 16931->16928 16932->16917 16934 9dc228 16933->16934 16935 9dc21a 16933->16935 16936 9de43c __strnicoll 14 API calls 16934->16936 16935->16934 16937 9dc240 16935->16937 16941 9dc230 16936->16941 16939 9dc23a 16937->16939 16940 9de43c __strnicoll 14 API calls 16937->16940 16938 9db759 __strnicoll 39 API calls 16938->16939 16939->16579 16940->16941 16941->16938 16943 9db54d 16942->16943 16947 9db56a 16942->16947 16944 9db564 16943->16944 16946 9ddc6b __freea 14 API calls 16943->16946 16945 9ddc6b __freea 14 API calls 16944->16945 16945->16947 16946->16943 16947->16580 16949 9db792 16948->16949 16950 9db7ba CallUnexpected 8 API calls 16949->16950 16951 9db7a7 GetCurrentProcess TerminateProcess 16950->16951 16951->16586 16953 9e030c 16952->16953 16954 9e031d 16953->16954 16957 9e0330 ___from_strstr_to_strchr 16953->16957 16955 9de43c __strnicoll 14 API calls 16954->16955 16956 9e0322 16955->16956 16956->16531 16958 9e0547 16957->16958 16960 9e0350 16957->16960 16959 9de43c __strnicoll 14 API calls 16958->16959 16961 9e054c 16959->16961 17015 9e056c 16960->17015 16963 9ddc6b __freea 14 API calls 16961->16963 16963->16956 16965 9e0396 16966 9e0380 16965->16966 16970 9deb5e __strnicoll 14 API calls 16965->16970 16972 9ddc6b __freea 14 API calls 16966->16972 16967 9e0372 16974 9e038f 16967->16974 16975 9e037b 16967->16975 16971 9e03a4 16970->16971 16973 9ddc6b __freea 14 API calls 16971->16973 16972->16956 16977 9e03af 16973->16977 16979 9e056c 39 API calls 16974->16979 16978 9de43c __strnicoll 14 API calls 16975->16978 16976 9e0409 16980 9ddc6b __freea 14 API calls 16976->16980 16977->16966 16984 9deb5e __strnicoll 14 API calls 16977->16984 16993 9e0394 16977->16993 16978->16966 16979->16993 16986 9e0411 16980->16986 16981 9e0454 16981->16966 16982 9e0044 42 API calls 16981->16982 16983 9e0482 16982->16983 16985 9ddc6b __freea 14 API calls 16983->16985 16987 9e03cb 16984->16987 16997 9e043e 16985->16997 16986->16997 17023 9e0044 16986->17023 16991 9ddc6b __freea 14 API calls 16987->16991 16988 9e053c 16989 9ddc6b __freea 14 API calls 16988->16989 16989->16956 16991->16993 16992 9e0435 16994 9ddc6b __freea 14 API calls 16992->16994 16993->16966 17019 9e0586 16993->17019 16994->16997 16995 9deb5e __strnicoll 14 API calls 16996 9e04cd 16995->16996 16998 9e04dd 16996->16998 16999 9e04d5 16996->16999 16997->16966 16997->16988 16997->16995 17001 9dc20c ___std_exception_copy 39 API calls 16998->17001 17000 9ddc6b __freea 14 API calls 16999->17000 17000->16966 17002 9e04e9 17001->17002 17003 9e04f0 17002->17003 17004 9e0561 17002->17004 17032 9e368c 17003->17032 17006 9db786 __strnicoll 11 API calls 17004->17006 17008 9e056b 17006->17008 17009 9e0536 17012 9ddc6b __freea 14 API calls 17009->17012 17010 9e0517 17011 9de43c __strnicoll 14 API calls 17010->17011 17013 9e051c 17011->17013 17012->16988 17014 9ddc6b __freea 14 API calls 17013->17014 17014->16966 17016 9e0579 17015->17016 17017 9e035b 17015->17017 17047 9e05db 17016->17047 17017->16965 17017->16967 17017->16993 17020 9e059c 17019->17020 17022 9e03f9 17019->17022 17020->17022 17062 9e359b 17020->17062 17022->16976 17022->16981 17024 9e006c 17023->17024 17025 9e0051 17023->17025 17026 9e007b 17024->17026 17162 9e33c8 17024->17162 17025->17024 17027 9e005d 17025->17027 17169 9e33fb 17026->17169 17029 9de43c __strnicoll 14 API calls 17027->17029 17031 9e0062 CallUnexpected 17029->17031 17031->16992 17181 9df1ea 17032->17181 17037 9e36ff 17039 9e370b 17037->17039 17041 9ddc6b __freea 14 API calls 17037->17041 17038 9df1ea 39 API calls 17040 9e36dc 17038->17040 17042 9e0511 17039->17042 17044 9ddc6b __freea 14 API calls 17039->17044 17043 9df282 17 API calls 17040->17043 17041->17039 17042->17009 17042->17010 17045 9e36e9 17043->17045 17044->17042 17045->17037 17046 9e36f3 SetEnvironmentVariableW 17045->17046 17046->17037 17048 9e05ee 17047->17048 17054 9e05e9 17047->17054 17049 9deb5e __strnicoll 14 API calls 17048->17049 17059 9e060b 17049->17059 17050 9e0679 17051 9dc0be CallUnexpected 39 API calls 17050->17051 17052 9e067e 17051->17052 17055 9db786 __strnicoll 11 API calls 17052->17055 17053 9ddc6b __freea 14 API calls 17053->17054 17054->17017 17056 9e068a 17055->17056 17057 9deb5e __strnicoll 14 API calls 17057->17059 17058 9ddc6b __freea 14 API calls 17058->17059 17059->17050 17059->17052 17059->17057 17059->17058 17060 9dc20c ___std_exception_copy 39 API calls 17059->17060 17061 9e0668 17059->17061 17060->17059 17061->17053 17063 9e35af 17062->17063 17064 9e35a9 17062->17064 17080 9e35c4 17063->17080 17067 9e3e3f 17064->17067 17068 9e3df7 17064->17068 17100 9e3e55 17067->17100 17070 9e3dfd 17068->17070 17071 9e3e1a 17068->17071 17073 9de43c __strnicoll 14 API calls 17070->17073 17075 9de43c __strnicoll 14 API calls 17071->17075 17079 9e3e38 17071->17079 17072 9e3e0d 17072->17020 17074 9e3e02 17073->17074 17076 9db759 __strnicoll 39 API calls 17074->17076 17077 9e3e29 17075->17077 17076->17072 17078 9db759 __strnicoll 39 API calls 17077->17078 17078->17072 17079->17020 17081 9dd468 __strnicoll 39 API calls 17080->17081 17082 9e35da 17081->17082 17083 9e35bf 17082->17083 17084 9e35f6 17082->17084 17085 9e360d 17082->17085 17083->17020 17086 9de43c __strnicoll 14 API calls 17084->17086 17088 9e3628 17085->17088 17089 9e3616 17085->17089 17087 9e35fb 17086->17087 17092 9db759 __strnicoll 39 API calls 17087->17092 17090 9e3648 17088->17090 17091 9e3635 17088->17091 17093 9de43c __strnicoll 14 API calls 17089->17093 17118 9e3f20 17090->17118 17094 9e3e55 __strnicoll 39 API calls 17091->17094 17092->17083 17096 9e361b 17093->17096 17094->17083 17098 9db759 __strnicoll 39 API calls 17096->17098 17098->17083 17099 9de43c __strnicoll 14 API calls 17099->17083 17101 9e3e7f 17100->17101 17102 9e3e65 17100->17102 17104 9e3e9e 17101->17104 17105 9e3e87 17101->17105 17103 9de43c __strnicoll 14 API calls 17102->17103 17107 9e3e6a 17103->17107 17106 9e3eaa 17104->17106 17110 9e3ec1 17104->17110 17108 9de43c __strnicoll 14 API calls 17105->17108 17109 9de43c __strnicoll 14 API calls 17106->17109 17111 9db759 __strnicoll 39 API calls 17107->17111 17112 9e3e8c 17108->17112 17113 9e3eaf 17109->17113 17114 9dd468 __strnicoll 39 API calls 17110->17114 17117 9e3e75 17110->17117 17111->17117 17115 9db759 __strnicoll 39 API calls 17112->17115 17116 9db759 __strnicoll 39 API calls 17113->17116 17114->17117 17115->17117 17116->17117 17117->17072 17119 9dd468 __strnicoll 39 API calls 17118->17119 17120 9e3f33 17119->17120 17123 9e3f66 17120->17123 17124 9e3f9a __strnicoll 17123->17124 17127 9e401a 17124->17127 17128 9e41fe 17124->17128 17130 9e4007 GetCPInfo 17124->17130 17135 9e401e 17124->17135 17125 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 17126 9e365e 17125->17126 17126->17083 17126->17099 17129 9ded64 __strnicoll MultiByteToWideChar 17127->17129 17127->17135 17132 9e40a0 17129->17132 17130->17127 17130->17135 17131 9e41f2 17133 9dec43 __freea 14 API calls 17131->17133 17132->17131 17134 9debbb __strnicoll 15 API calls 17132->17134 17132->17135 17136 9e40c7 __alloca_probe_16 17132->17136 17133->17135 17134->17136 17135->17125 17135->17128 17136->17131 17137 9ded64 __strnicoll MultiByteToWideChar 17136->17137 17138 9e4113 17137->17138 17138->17131 17139 9ded64 __strnicoll MultiByteToWideChar 17138->17139 17140 9e412f 17139->17140 17140->17131 17141 9e413d 17140->17141 17142 9e41a0 17141->17142 17144 9debbb __strnicoll 15 API calls 17141->17144 17147 9e4156 __alloca_probe_16 17141->17147 17143 9dec43 __freea 14 API calls 17142->17143 17145 9e41a6 17143->17145 17144->17147 17146 9dec43 __freea 14 API calls 17145->17146 17146->17135 17147->17142 17148 9ded64 __strnicoll MultiByteToWideChar 17147->17148 17149 9e4199 17148->17149 17149->17142 17150 9e41c2 17149->17150 17156 9dc645 17150->17156 17153 9dec43 __freea 14 API calls 17154 9e41e2 17153->17154 17155 9dec43 __freea 14 API calls 17154->17155 17155->17135 17157 9dca24 __strnicoll 5 API calls 17156->17157 17158 9dc650 17157->17158 17159 9dc849 __strnicoll 5 API calls 17158->17159 17161 9dc656 17158->17161 17160 9dc696 CompareStringW 17159->17160 17160->17161 17161->17153 17163 9e33e8 HeapSize 17162->17163 17164 9e33d3 17162->17164 17163->17026 17165 9de43c __strnicoll 14 API calls 17164->17165 17166 9e33d8 17165->17166 17167 9db759 __strnicoll 39 API calls 17166->17167 17168 9e33e3 17167->17168 17168->17026 17170 9e3408 17169->17170 17171 9e3413 17169->17171 17172 9debbb __strnicoll 15 API calls 17170->17172 17173 9e341b 17171->17173 17180 9e3424 __strnicoll 17171->17180 17177 9e3410 17172->17177 17174 9ddc6b __freea 14 API calls 17173->17174 17174->17177 17175 9e344e HeapReAlloc 17175->17177 17175->17180 17176 9e3429 17178 9de43c __strnicoll 14 API calls 17176->17178 17177->17031 17178->17177 17179 9dabf8 __strnicoll 2 API calls 17179->17180 17180->17175 17180->17176 17180->17179 17182 9dd468 __strnicoll 39 API calls 17181->17182 17183 9df1fc 17182->17183 17185 9df20e 17183->17185 17189 9dc626 17183->17189 17186 9df282 17185->17186 17195 9df458 17186->17195 17192 9dca0a 17189->17192 17193 9dc985 __strnicoll 5 API calls 17192->17193 17194 9dc62e 17193->17194 17194->17185 17196 9df466 17195->17196 17197 9df480 17195->17197 17213 9df268 17196->17213 17199 9df487 17197->17199 17200 9df4a6 17197->17200 17204 9df29a 17199->17204 17217 9df229 17199->17217 17201 9ded64 __strnicoll MultiByteToWideChar 17200->17201 17203 9df4b5 17201->17203 17205 9df4bc GetLastError 17203->17205 17206 9df4e2 17203->17206 17209 9df229 15 API calls 17203->17209 17204->17037 17204->17038 17222 9de462 17205->17222 17206->17204 17210 9ded64 __strnicoll MultiByteToWideChar 17206->17210 17209->17206 17212 9df4f9 17210->17212 17211 9de43c __strnicoll 14 API calls 17211->17204 17212->17204 17212->17205 17214 9df27b 17213->17214 17215 9df273 17213->17215 17214->17204 17216 9ddc6b __freea 14 API calls 17215->17216 17216->17214 17218 9df268 14 API calls 17217->17218 17219 9df237 17218->17219 17227 9df1cb 17219->17227 17230 9de44f 17222->17230 17224 9de46d __dosmaperr 17225 9de43c __strnicoll 14 API calls 17224->17225 17226 9de480 17225->17226 17226->17211 17228 9debbb __strnicoll 15 API calls 17227->17228 17229 9df1d8 17228->17229 17229->17204 17231 9dccfb __strnicoll 14 API calls 17230->17231 17232 9de454 17231->17232 17232->17224 17234 9daa3e 17233->17234 17242 9daa4f 17233->17242 17235 9d967c CallUnexpected GetModuleHandleW 17234->17235 17238 9daa43 17235->17238 17238->17242 17244 9da945 GetModuleHandleExW 17238->17244 17239 9da8fd 17239->16374 17249 9dabab 17242->17249 17245 9da984 GetProcAddress 17244->17245 17246 9da998 17244->17246 17245->17246 17247 9da9ab FreeLibrary 17246->17247 17248 9da9b4 17246->17248 17247->17248 17248->17242 17250 9dabb7 ___scrt_is_nonwritable_in_current_image 17249->17250 17264 9dcb01 EnterCriticalSection 17250->17264 17252 9dabc1 17265 9daaa8 17252->17265 17254 9dabce 17269 9dabec 17254->17269 17257 9da9e0 17294 9da9c7 17257->17294 17259 9da9ea 17260 9da9fe 17259->17260 17261 9da9ee GetCurrentProcess TerminateProcess 17259->17261 17262 9da945 CallUnexpected 3 API calls 17260->17262 17261->17260 17263 9daa06 ExitProcess 17262->17263 17264->17252 17268 9daab4 ___scrt_is_nonwritable_in_current_image CallUnexpected 17265->17268 17267 9dab18 CallUnexpected 17267->17254 17268->17267 17272 9db15b 17268->17272 17293 9dcb18 LeaveCriticalSection 17269->17293 17271 9daa87 17271->17239 17271->17257 17273 9db167 __EH_prolog3 17272->17273 17276 9db3e6 17273->17276 17275 9db18e CallUnexpected 17275->17267 17277 9db3f2 ___scrt_is_nonwritable_in_current_image 17276->17277 17284 9dcb01 EnterCriticalSection 17277->17284 17279 9db400 17285 9db2b1 17279->17285 17284->17279 17286 9db2c8 17285->17286 17287 9db2d0 17285->17287 17289 9db435 17286->17289 17287->17286 17288 9ddc6b __freea 14 API calls 17287->17288 17288->17286 17292 9dcb18 LeaveCriticalSection 17289->17292 17291 9db41e 17291->17275 17292->17291 17293->17271 17297 9de511 17294->17297 17296 9da9cc CallUnexpected 17296->17259 17298 9de520 CallUnexpected 17297->17298 17299 9de52d 17298->17299 17301 9dc87a 17298->17301 17299->17296 17302 9dc985 __strnicoll 5 API calls 17301->17302 17303 9dc896 17302->17303 17303->17299 17305 9da7ad 17304->17305 17306 9da7bf ___scrt_uninitialize_crt 17304->17306 17307 9da7bb 17305->17307 17309 9de047 17305->17309 17306->16412 17307->16412 17312 9de172 17309->17312 17315 9de24b 17312->17315 17316 9de257 ___scrt_is_nonwritable_in_current_image 17315->17316 17323 9dcb01 EnterCriticalSection 17316->17323 17318 9de2cd 17332 9de2eb 17318->17332 17319 9de261 ___scrt_uninitialize_crt 17319->17318 17324 9de1bf 17319->17324 17323->17319 17325 9de1cb ___scrt_is_nonwritable_in_current_image 17324->17325 17335 9de2f7 EnterCriticalSection 17325->17335 17327 9de1d5 ___scrt_uninitialize_crt 17331 9de20e 17327->17331 17336 9de050 17327->17336 17349 9de23f 17331->17349 17448 9dcb18 LeaveCriticalSection 17332->17448 17334 9de04e 17334->17307 17335->17327 17337 9de065 __strnicoll 17336->17337 17338 9de06c 17337->17338 17339 9de077 17337->17339 17341 9de172 ___scrt_uninitialize_crt 68 API calls 17338->17341 17352 9de0b5 17339->17352 17342 9de072 17341->17342 17344 9db9c7 __strnicoll 39 API calls 17342->17344 17346 9de0af 17344->17346 17346->17331 17347 9de098 17365 9e10af 17347->17365 17447 9de30b LeaveCriticalSection 17349->17447 17351 9de22d 17351->17319 17353 9de0ce 17352->17353 17357 9de081 17352->17357 17354 9e11ce ___scrt_uninitialize_crt 39 API calls 17353->17354 17353->17357 17355 9de0ea 17354->17355 17376 9e1411 17355->17376 17357->17342 17358 9e11ce 17357->17358 17359 9e11ef 17358->17359 17360 9e11da 17358->17360 17359->17347 17361 9de43c __strnicoll 14 API calls 17360->17361 17362 9e11df 17361->17362 17363 9db759 __strnicoll 39 API calls 17362->17363 17364 9e11ea 17363->17364 17364->17347 17366 9e10cd 17365->17366 17367 9e10c0 17365->17367 17369 9e1116 17366->17369 17372 9e10f4 17366->17372 17368 9de43c __strnicoll 14 API calls 17367->17368 17374 9e10c5 17368->17374 17370 9de43c __strnicoll 14 API calls 17369->17370 17371 9e111b 17370->17371 17373 9db759 __strnicoll 39 API calls 17371->17373 17417 9e112c 17372->17417 17373->17374 17374->17342 17377 9e141d ___scrt_is_nonwritable_in_current_image 17376->17377 17378 9e145e 17377->17378 17379 9e14a4 17377->17379 17386 9e1425 17377->17386 17380 9db902 __strnicoll 29 API calls 17378->17380 17387 9e08d4 EnterCriticalSection 17379->17387 17380->17386 17382 9e14aa 17383 9e14c8 17382->17383 17388 9e11f5 17382->17388 17414 9e151a 17383->17414 17386->17357 17387->17382 17389 9e121d 17388->17389 17413 9e1240 ___scrt_uninitialize_crt 17388->17413 17390 9e1221 17389->17390 17392 9e127c 17389->17392 17391 9db902 __strnicoll 29 API calls 17390->17391 17391->17413 17393 9e129a 17392->17393 17395 9e39cc ___scrt_uninitialize_crt 41 API calls 17392->17395 17394 9e1522 ___scrt_uninitialize_crt 40 API calls 17393->17394 17396 9e12ac 17394->17396 17395->17393 17397 9e12f9 17396->17397 17398 9e12b2 17396->17398 17401 9e130d 17397->17401 17402 9e1362 WriteFile 17397->17402 17399 9e12ba 17398->17399 17400 9e12e1 17398->17400 17407 9e1966 ___scrt_uninitialize_crt 6 API calls 17399->17407 17399->17413 17403 9e159f ___scrt_uninitialize_crt 45 API calls 17400->17403 17405 9e134e 17401->17405 17406 9e1315 17401->17406 17404 9e1384 GetLastError 17402->17404 17402->17413 17403->17413 17404->17413 17408 9e19ce ___scrt_uninitialize_crt 7 API calls 17405->17408 17409 9e133a 17406->17409 17410 9e131a 17406->17410 17407->17413 17408->17413 17411 9e1b92 ___scrt_uninitialize_crt 8 API calls 17409->17411 17412 9e1aa9 ___scrt_uninitialize_crt 7 API calls 17410->17412 17410->17413 17411->17413 17412->17413 17413->17383 17415 9e08f7 ___scrt_uninitialize_crt LeaveCriticalSection 17414->17415 17416 9e1520 17415->17416 17416->17386 17418 9e1138 ___scrt_is_nonwritable_in_current_image 17417->17418 17430 9e08d4 EnterCriticalSection 17418->17430 17420 9e1147 17429 9e118c 17420->17429 17431 9e068b 17420->17431 17422 9de43c __strnicoll 14 API calls 17424 9e1193 17422->17424 17423 9e1173 FlushFileBuffers 17423->17424 17425 9e117f GetLastError 17423->17425 17444 9e11c2 17424->17444 17427 9de44f __dosmaperr 14 API calls 17425->17427 17427->17429 17429->17422 17430->17420 17432 9e06ad 17431->17432 17433 9e0698 17431->17433 17436 9de44f __dosmaperr 14 API calls 17432->17436 17438 9e06d2 17432->17438 17434 9de44f __dosmaperr 14 API calls 17433->17434 17435 9e069d 17434->17435 17437 9de43c __strnicoll 14 API calls 17435->17437 17439 9e06dd 17436->17439 17440 9e06a5 17437->17440 17438->17423 17441 9de43c __strnicoll 14 API calls 17439->17441 17440->17423 17442 9e06e5 17441->17442 17443 9db759 __strnicoll 39 API calls 17442->17443 17443->17440 17445 9e08f7 ___scrt_uninitialize_crt LeaveCriticalSection 17444->17445 17446 9e11ab 17445->17446 17446->17374 17447->17351 17448->17334 16088 9bd478 16089 9bded1 16088->16089 16094 9bcd50 16088->16094 16090 9c018f 16089->16090 16089->16094 16100 9d8df1 16090->16100 16092 9c0199 16093 9bce30 GetPEB 16093->16094 16094->16093 16096 9b9210 16094->16096 16097 9b9660 16096->16097 16098 9d8df1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 16097->16098 16099 9ba0a0 16098->16099 16099->16094 16101 9d8df9 16100->16101 16102 9d8dfa IsProcessorFeaturePresent 16100->16102 16101->16092 16104 9d8f6a 16102->16104 16107 9d904f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16104->16107 16106 9d904d 16106->16092 16107->16106

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 009ED18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,009ED0FF,009ED0EF), ref: 009ED323
                                                                                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 009ED336
                                                                                                                                                                                                                                                  • Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 009ED354
                                                                                                                                                                                                                                                  • ReadProcessMemory.KERNELBASE(0000008C,?,009ED143,00000004,00000000), ref: 009ED378
                                                                                                                                                                                                                                                  • VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 009ED3A3
                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 009ED3FB
                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 009ED446
                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 009ED484
                                                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(00000098,02C50000), ref: 009ED4C0
                                                                                                                                                                                                                                                  • ResumeThread.KERNELBASE(00000098), ref: 009ED4CF
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                  • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                                                  • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                  • Instruction ID: 0b77e979cbe066a640e3ced87a601ec984e20fa9cbc213aff466d300267f0443
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3CB1077660128AAFDB60CF69CC80BDA73A5FF88714F158524EA08AB341D774FE51CB94
                                                                                                                                                                                                                                                  Function 009BD478 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 272 9bd478-9bd47e 273 9bded1-9bded7 272->273 274 9bd484-9bd48a 272->274 277 9c018f-9c01a2 call 9d8df1 273->277 278 9bdedd-9bdee3 273->278 275 9be782-9be788 274->275 276 9bd490-9bd496 274->276 284 9be78e-9be794 275->284 285 9bf790-9bf7ac 275->285 279 9bf1b9-9bffbc 276->279 280 9bd49c-9bd4a2 276->280 282 9bdee9-9bdeef 278->282 283 9bfc23-9bfc68 278->283 294 9bcd58-9bcdb2 279->294 298 9bffc2 279->298 287 9bcd50-9bcd56 280->287 290 9bd4a8-9bd4b3 280->290 282->287 292 9bdef5-9bdf23 282->292 283->294 296 9bfc6e 283->296 286 9be79a-9be7c8 284->286 284->287 285->283 293 9bfeae-9bfec5 286->293 287->294 295 9bcdd0-9bce2a 287->295 290->294 297 9bd4b9 290->297 292->293 293->294 301 9bfecb 293->301 294->287 315 9bcdb4-9bcdbf 294->315 295->287 314 9bce30-9bcec5 GetPEB call 9b3e60 call 9b5f10 * 2 call 9b9210 295->314 296->295 297->295 298->295 301->295 314->294 326 9bcecb 314->326 315->294 317 9bcdc1-9bcdcb 315->317 317->295 326->295
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: XvIL
                                                                                                                                                                                                                                                  • API String ID: 0-558896452
                                                                                                                                                                                                                                                  • Opcode ID: 6c9369cf92e9173615d8ad79d8560ea6a0fcb857d1fdea8368ffd7592c3d7d42
                                                                                                                                                                                                                                                  • Instruction ID: 4630828ddcfadd7a4b8b307f40c3aa957794ead14de10d1a35e195c3d507e586
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c9369cf92e9173615d8ad79d8560ea6a0fcb857d1fdea8368ffd7592c3d7d42
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE61CB793261019F9E2CCA28AEE56FC77D5DFD8330B25452EF4135BAF1D624AC418782
                                                                                                                                                                                                                                                  Function 009E0EA8 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 26 9e0ea8-9e0ec1 27 9e0ed7-9e0edc 26->27 28 9e0ec3-9e0ed3 call 9e39b0 26->28 30 9e0ede-9e0ee6 27->30 31 9e0ee9-9e0f0f call 9ded64 27->31 28->27 34 9e0ed5 28->34 30->31 36 9e1085-9e1096 call 9d8df1 31->36 37 9e0f15-9e0f20 31->37 34->27 39 9e1078 37->39 40 9e0f26-9e0f2b 37->40 44 9e107a 39->44 42 9e0f2d-9e0f36 call 9e2b90 40->42 43 9e0f44-9e0f4f call 9debbb 40->43 42->44 53 9e0f3c-9e0f42 42->53 43->44 52 9e0f55 43->52 47 9e107c-9e1083 call 9dec43 44->47 47->36 54 9e0f5b-9e0f60 52->54 53->54 54->44 55 9e0f66-9e0f7b call 9ded64 54->55 55->44 58 9e0f81-9e0f93 call 9dc7ec 55->58 60 9e0f98-9e0f9c 58->60 60->44 61 9e0fa2-9e0faa 60->61 62 9e0fac-9e0fb1 61->62 63 9e0fe4-9e0ff0 61->63 62->47 66 9e0fb7-9e0fb9 62->66 64 9e106d 63->64 65 9e0ff2-9e0ff4 63->65 69 9e106f-9e1076 call 9dec43 64->69 67 9e1009-9e1014 call 9debbb 65->67 68 9e0ff6-9e0fff call 9e2b90 65->68 66->44 70 9e0fbf-9e0fd9 call 9dc7ec 66->70 67->69 81 9e1016 67->81 68->69 80 9e1001-9e1007 68->80 69->44 70->47 79 9e0fdf 70->79 79->44 82 9e101c-9e1021 80->82 81->82 82->69 83 9e1023-9e103b call 9dc7ec 82->83 83->69 86 9e103d-9e1044 83->86 87 9e1046-9e1047 86->87 88 9e1065-9e106b 86->88 89 9e1048-9e105a call 9e012e 87->89 88->89 89->69 92 9e105c-9e1063 call 9dec43 89->92 92->47
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 009E0F2D
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 009E0FF6
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E105D
                                                                                                                                                                                                                                                    • Part of subcall function 009DEBBB: RtlAllocateHeap.NTDLL(00000000,009B76E8,?,?,009B76E8,01E84800), ref: 009DEBED
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E1070
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E107D
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1423051803-0
                                                                                                                                                                                                                                                  • Opcode ID: 6ec16d1f351406baf340f9dd67be97b848ca357e3c84ee994bc73d0cfbcd60f8
                                                                                                                                                                                                                                                  • Instruction ID: 49fee81d99f27fe3366e819048334e71b93174d3cbc52376c541f8a25722a3ee
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ec16d1f351406baf340f9dd67be97b848ca357e3c84ee994bc73d0cfbcd60f8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE51B372600286AFDF226F62CC81FBB3BADEF84711B194529FD04D6251EB75DD90C660
                                                                                                                                                                                                                                                  Function 009DD4EA Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 95 9dd4ea-9dd512 call 9dd6ef 98 9dd518-9dd51e 95->98 99 9dd6d7-9dd6d8 call 9dd760 95->99 101 9dd521-9dd527 98->101 102 9dd6dd-9dd6df 99->102 103 9dd52d-9dd539 101->103 104 9dd623-9dd642 call 9da540 101->104 106 9dd6e0-9dd6ee call 9d8df1 102->106 103->101 107 9dd53b-9dd541 103->107 112 9dd645-9dd64a 104->112 110 9dd61b-9dd61e 107->110 111 9dd547-9dd553 IsValidCodePage 107->111 110->106 111->110 114 9dd559-9dd560 111->114 115 9dd64c-9dd651 112->115 116 9dd687-9dd691 112->116 117 9dd582-9dd58f GetCPInfo 114->117 118 9dd562-9dd56e 114->118 121 9dd684 115->121 122 9dd653-9dd65b 115->122 116->112 123 9dd693-9dd6bd call 9dda3b 116->123 119 9dd60f-9dd615 117->119 120 9dd591-9dd5b0 call 9da540 117->120 124 9dd572-9dd57d 118->124 119->99 119->110 120->124 136 9dd5b2-9dd5b9 120->136 121->116 127 9dd65d-9dd660 122->127 128 9dd67c-9dd682 122->128 134 9dd6be-9dd6cd 123->134 125 9dd6cf-9dd6d0 call 9dda79 124->125 135 9dd6d5 125->135 132 9dd662-9dd668 127->132 128->115 128->121 132->128 137 9dd66a-9dd67a 132->137 134->125 134->134 135->102 138 9dd5bb-9dd5c0 136->138 139 9dd5e5-9dd5e8 136->139 137->128 137->132 138->139 140 9dd5c2-9dd5ca 138->140 141 9dd5ed-9dd5f4 139->141 142 9dd5dd-9dd5e3 140->142 143 9dd5cc-9dd5d3 140->143 141->141 144 9dd5f6-9dd60a call 9dda3b 141->144 142->138 142->139 145 9dd5d4-9dd5db 143->145 144->124 145->142 145->145
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 009DD6EF: GetOEMCP.KERNEL32(00000000,?,?,788496A7,?), ref: 009DD71A
                                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,009DD8FA,?,00000000,?,788496A7,?), ref: 009DD54B
                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,009DD8FA,?,00000000,?,788496A7,?), ref: 009DD587
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 546120528-0
                                                                                                                                                                                                                                                  • Opcode ID: a64d8e0c5ed3cac769b363a402bbeec0766f2e559026120cf98c356e912a0d71
                                                                                                                                                                                                                                                  • Instruction ID: 543557c66676e33ba577c180d37587f674f43ac96c4188c0fcfa63764692be62
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a64d8e0c5ed3cac769b363a402bbeec0766f2e559026120cf98c356e912a0d71
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF51F4B09853459FDB20CF75C881AAABBE9EF85304F18C56FE08A8B351E674D945CB90
                                                                                                                                                                                                                                                  Function 009DD2D2 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 148 9dd2d2-9dd2d7 149 9dd2d9-9dd2f1 148->149 150 9dd2ff-9dd308 149->150 151 9dd2f3-9dd2f7 149->151 152 9dd31a 150->152 153 9dd30a-9dd30d 150->153 151->150 154 9dd2f9-9dd2fd 151->154 157 9dd31c-9dd329 GetStdHandle 152->157 155 9dd30f-9dd314 153->155 156 9dd316-9dd318 153->156 158 9dd374-9dd378 154->158 155->157 156->157 159 9dd32b-9dd32d 157->159 160 9dd356-9dd368 157->160 158->149 161 9dd37e-9dd381 158->161 159->160 162 9dd32f-9dd338 GetFileType 159->162 160->158 163 9dd36a-9dd36d 160->163 162->160 164 9dd33a-9dd343 162->164 163->158 165 9dd34b-9dd34e 164->165 166 9dd345-9dd349 164->166 165->158 167 9dd350-9dd354 165->167 166->158 167->158
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,009DD1C1,009ECB48,0000000C), ref: 009DD31E
                                                                                                                                                                                                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,009DD1C1,009ECB48,0000000C), ref: 009DD330
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FileHandleType
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3000768030-0
                                                                                                                                                                                                                                                  • Opcode ID: 97734bdbc83473e9e72ef3d718979effc62b17088e6787ac333d3a33bdc6f788
                                                                                                                                                                                                                                                  • Instruction ID: bfd8021ad05afadbe51a38a100551a46b9369115c216397125e8587eb8f3436f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97734bdbc83473e9e72ef3d718979effc62b17088e6787ac333d3a33bdc6f788
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6111D671545B814AC7304E3E8C88622FA9CA766338B384B1BD1B6877F6D334D946D242
                                                                                                                                                                                                                                                  Function 009BA0B0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 168 9ba0b0-9ba0ee 169 9ba0f0-9ba10b 168->169 170 9ba116-9ba11c 168->170 171 9ba10e-9ba114 169->171 172 9ba11e-9ba124 170->172 173 9ba14c-9ba16c ExitProcess 170->173 171->169 171->170 172->171 174 9ba126-9ba146 ExitProcess 172->174
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                                                                                                                  • Opcode ID: 7ee63a893e8f360b8c116893ea447860b0047fb95cd71158a6d4fd938a709d97
                                                                                                                                                                                                                                                  • Instruction ID: 420a03ce7ce15d19725978610a4ef42404634e9a5ea37ab60c3297bae1f838d8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ee63a893e8f360b8c116893ea447860b0047fb95cd71158a6d4fd938a709d97
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 36112B35B192546BE7548A2C8960BAE37EB8BCE720F154069E445D7380DE314C468781
                                                                                                                                                                                                                                                  Function 009DC7EC Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 177 9dc7ec-9dc7fb call 9dca3e 180 9dc7fd-9dc822 LCMapStringEx 177->180 181 9dc824-9dc83e call 9dc849 LCMapStringW 177->181 185 9dc844-9dc846 180->185 181->185
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LCMapStringEx.KERNELBASE(?,009E0F98,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 009DC820
                                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,009E0F98,?,?,-00000008,?,00000000), ref: 009DC83E
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: String
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2568140703-0
                                                                                                                                                                                                                                                  • Opcode ID: 3a2f3bb8886290c9796612d34c9f36ce88b6fdd480cc61b6a7f04afb08eb72e6
                                                                                                                                                                                                                                                  • Instruction ID: c5cac98bdc1372d734dadf38fc52fab00f45984b79c5537b9ad0e6f2399542cf
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a2f3bb8886290c9796612d34c9f36ce88b6fdd480cc61b6a7f04afb08eb72e6
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDF07A7244415ABBCF125F90DC05EDE7F66EF88360F058021FA1825221C736C932FB90
                                                                                                                                                                                                                                                  Function 009DDC6B Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 186 9ddc6b-9ddc74 187 9ddc76-9ddc89 RtlFreeHeap 186->187 188 9ddca3-9ddca4 186->188 187->188 189 9ddc8b-9ddca2 GetLastError call 9de485 call 9de43c 187->189 189->188
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,009DBCAC,009B782F), ref: 009DDC81
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,009DBCAC,009B782F), ref: 009DDC8C
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                                                                                                  • Opcode ID: f3ddca6716bd868bb1b05e0f261e7d26a2ac39d6a84dd292dae5fb3f8b9fce37
                                                                                                                                                                                                                                                  • Instruction ID: c964326344e73e81d819a9dc5faba1f1dc8ff7a433ccf25f4c8563ae74b3d981
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3ddca6716bd868bb1b05e0f261e7d26a2ac39d6a84dd292dae5fb3f8b9fce37
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6E08C32596608ABDB113FE5FE49B893BAC9B80391F508022FA089E271CB748D41D794
                                                                                                                                                                                                                                                  Function 009DDA79 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 194 9dda79-9dda9b 195 9ddbad-9ddbd3 194->195 196 9ddaa1-9ddab3 GetCPInfo 194->196 198 9ddbd8-9ddbdd 195->198 196->195 197 9ddab9-9ddac0 196->197 199 9ddac2-9ddacc 197->199 200 9ddbdf-9ddbe5 198->200 201 9ddbe7-9ddbed 198->201 199->199 202 9ddace-9ddae1 199->202 203 9ddbf5-9ddbf7 200->203 204 9ddbef-9ddbf2 201->204 205 9ddbf9 201->205 207 9ddb02-9ddb04 202->207 206 9ddbfb-9ddc0d 203->206 204->203 205->206 206->198 208 9ddc0f-9ddc1d call 9d8df1 206->208 209 9ddb06-9ddb3d call 9dec63 call 9e0e5f 207->209 210 9ddae3-9ddaea 207->210 220 9ddb42-9ddb70 call 9e0e5f 209->220 212 9ddaf9-9ddafb 210->212 215 9ddafd-9ddb00 212->215 216 9ddaec-9ddaee 212->216 215->207 216->215 218 9ddaf0-9ddaf8 216->218 218->212 223 9ddb72-9ddb7d 220->223 224 9ddb7f-9ddb89 223->224 225 9ddb8b-9ddb8e 223->225 226 9ddb9e-9ddba9 224->226 227 9ddb9c 225->227 228 9ddb90-9ddb9a 225->228 226->223 229 9ddbab 226->229 227->226 228->226 229->208
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000083,?,00000005,009DD8FA,?), ref: 009DDAAB
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1807457897-0
                                                                                                                                                                                                                                                  • Opcode ID: 4cb1d40b1329bf18be625e375ae1f6fade18a4af1a2c1335c1e512ab0a400e25
                                                                                                                                                                                                                                                  • Instruction ID: 87d69edb828d2dae6be65873bbe67311520d06f6a44cb3d2aed89646a92b3b6d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cb1d40b1329bf18be625e375ae1f6fade18a4af1a2c1335c1e512ab0a400e25
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B517AB0909158ABDB118E28CCC4BF9BB6CEB55304F1481EBE099C7282C3799E85CF60
                                                                                                                                                                                                                                                  Function 009BB0E4 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 230 9bb0e4-9bb133 ReadFile 231 9bb139-9bb13e 230->231 232 9bcbcf-9bcbda 230->232 231->232 233 9ba1f0-9ba1f6 232->233 234 9bcbe0-9bcc2d 232->234 236 9ba1fc-9ba252 233->236 237 9bb7f0-9bb84a 233->237 234->237 238 9bcc33 234->238 236->233 253 9ba254-9ba25f 236->253 237->233 254 9bb850-9bb87a 237->254 238->236 253->237 255 9ba265 253->255 254->232 256 9bb880-9bb885 254->256 255->236 256->232
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009BB0FC
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                                                                                  • Opcode ID: 17f4222683e62677f82b8149ed5046621e738f7c94d07350c7555b0c98392624
                                                                                                                                                                                                                                                  • Instruction ID: 7f2e1b1c3607373203855ba1b1f514223f8c1172ed0b9136934662a7272c1cd0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17f4222683e62677f82b8149ed5046621e738f7c94d07350c7555b0c98392624
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED114C7161C3829FCE2C8A284BA54BD62577FD7330F38485EF5038BBA4D9638C459603
                                                                                                                                                                                                                                                  Function 009DEBBB Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 257 9debbb-9debc7 258 9debf9-9dec04 call 9de43c 257->258 259 9debc9-9debcb 257->259 266 9dec06-9dec08 258->266 261 9debcd-9debce 259->261 262 9debe4-9debf5 RtlAllocateHeap 259->262 261->262 264 9debf7 262->264 265 9debd0-9debd7 call 9dbc5e 262->265 264->266 265->258 269 9debd9-9debe2 call 9dabf8 265->269 269->258 269->262
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,009B76E8,?,?,009B76E8,01E84800), ref: 009DEBED
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                  • Opcode ID: 7dfba7abeda56dc33555a1300cc109d0120a06ddc81a24bdf9b8e320f9e96ce8
                                                                                                                                                                                                                                                  • Instruction ID: bdb28622729ade7b9e1d6a13a178d4ae352373f2aa4e23bc0142c9059a7ae645
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7dfba7abeda56dc33555a1300cc109d0120a06ddc81a24bdf9b8e320f9e96ce8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AE09B319D522656E72136AB9C05B5B364C9F417B0F55C123FC579E391DF1DEC0181E1

                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                  Function 009C6350 Relevance: 77.7, Strings: 61, Instructions: 1445COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: KH%Y$KJn?$KJn?$KJn?$KJn?$LH%Y$LH%Y$LH%Y$LH%Y$h^'$i^'$i^'$i^'$i^'$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%${L%${L%${L%${L%$V?D$V?D$V?D$V?D$V?D
                                                                                                                                                                                                                                                  • API String ID: 0-3543999248
                                                                                                                                                                                                                                                  • Opcode ID: 4c32e6043597d02589c594856564f449bb2129b20e8755ff7d58ec70e54fc7da
                                                                                                                                                                                                                                                  • Instruction ID: 7a6e90a8816db7a9c0041c1ecca1142786f52053c40ec6a1caa2360d75ad1261
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c32e6043597d02589c594856564f449bb2129b20e8755ff7d58ec70e54fc7da
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAB2F63AA296404F5A28CA6895C4F2DB2969FD53707358F0EE426CF3F4DB39CD429643
                                                                                                                                                                                                                                                  Function 009C9BA0 Relevance: 45.8, Strings: 35, Instructions: 2072COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: ($($($sL$sL$2h`?$2h`?$2h`?$2h`?$Dt$Dt$Dt$Hyol$Hyol$Hyol$Hyol$J+z7$J+z7$W8|$X8|$X8|$Yrf1$Yrf1$Yrf1$fM@#$fM@#$fM@#$zN_$zN_$zN_$No$No$[u$[u$[u
                                                                                                                                                                                                                                                  • API String ID: 0-1459843020
                                                                                                                                                                                                                                                  • Opcode ID: a6f2bf6a9c6f8fcdfa3ccab856aa30851e488d29598da8bd60dd969e1aaf1b26
                                                                                                                                                                                                                                                  • Instruction ID: 66bd7e8118fae221d2f7c1ab6a7352dcce3b926a757ed44b10e8f712bbfe2668
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6f2bf6a9c6f8fcdfa3ccab856aa30851e488d29598da8bd60dd969e1aaf1b26
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34E2163BF695418B4A28CA2CD9C9B2D72D397D4324B2B8E5FD8124F3E4D7398C819647
                                                                                                                                                                                                                                                  Function 009D1D50 Relevance: 32.0, Strings: 24, Instructions: 1978COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: >g[$!]j$"]j$"]j$"]j$"]j$&qq!$&qq!$&qq!$&qq!$&$&$&$&$+I"w$,I"w$,I"w$,I"w$,I"w$fVp$fVp$/YS$/YS$/YS
                                                                                                                                                                                                                                                  • API String ID: 0-635301867
                                                                                                                                                                                                                                                  • Opcode ID: 3643c498c19e89080a2fb82c8322a9e8b8b020d95850d3f8fac5aefa8710e837
                                                                                                                                                                                                                                                  • Instruction ID: 6c4efddf2e67a98006412d608c0191ef097205cf222689808f01785e53512dc6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3643c498c19e89080a2fb82c8322a9e8b8b020d95850d3f8fac5aefa8710e837
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5BD2183B69D1409B4A2CCA24A9E053D73979BE8371774CA1FE8274F7E8C7359E419A03
                                                                                                                                                                                                                                                  Function 009CF360 Relevance: 19.6, Strings: 14, Instructions: 2099COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: $^t0$$^t0$$^t0$6Haz$6Haz$6Haz$=am#$>am#$>am#$>am#$kX]E$lX]E$lX]E$lX]E
                                                                                                                                                                                                                                                  • API String ID: 0-4155389939
                                                                                                                                                                                                                                                  • Opcode ID: 94b05a1163c88b4cd00dde2e87ac18c7580a99f2d4dbe3aab10932e3fdfdc886
                                                                                                                                                                                                                                                  • Instruction ID: eb9bed6a6e6cbc7fd5f91eb7d4b5e0e14b6f4b2979c7231f6065f4f7a9e83010
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94b05a1163c88b4cd00dde2e87ac18c7580a99f2d4dbe3aab10932e3fdfdc886
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDD26D36F582548B8F2C8A2CD4F467EB3D69F99320725466FDC13AF3B0C7229C459692
                                                                                                                                                                                                                                                  Function 009D7860 Relevance: 17.1, Strings: 13, Instructions: 886COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: VlUi$WlUi$WlUi$WlUi$WlUi$1I#$1I#$1I#$1I#$U/$U/$U/$U/
                                                                                                                                                                                                                                                  • API String ID: 0-3233344364
                                                                                                                                                                                                                                                  • Opcode ID: 9649b36b57de69b3a68f73836a5f5a7ab5f712bc835ee2cf40e576612d948d9a
                                                                                                                                                                                                                                                  • Instruction ID: 03ae3e0d502bed764b76ee34c9726f330a715574e39190c671249b073d742bd9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9649b36b57de69b3a68f73836a5f5a7ab5f712bc835ee2cf40e576612d948d9a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB52AF3669D7445F4A28CA6C99C803BB2869BA4330B74CA13DA16CF3F5FA64DC41E742
                                                                                                                                                                                                                                                  Function 009CDD20 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 293COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: string too long$S@$eIY$eIY$eIY
                                                                                                                                                                                                                                                  • API String ID: 0-2211027269
                                                                                                                                                                                                                                                  • Opcode ID: 376cdaff10c127fdb92a02cc9c1dc029a682ad5f3ac0fd014a55b314d89cc118
                                                                                                                                                                                                                                                  • Instruction ID: 84689278f4764a10c932f6a4306a31263667b093383ad653e161f589f9581366
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 376cdaff10c127fdb92a02cc9c1dc029a682ad5f3ac0fd014a55b314d89cc118
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80918D37F1A2418B9E28862889D5B3D759B6FE1320B698D2EE807CF7E5C739CC455243
                                                                                                                                                                                                                                                  Function 009C5F80 Relevance: 9.0, Strings: 7, Instructions: 233COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: C`lB$C`lB$C`lB$9z`$9z`$9z`$9z`
                                                                                                                                                                                                                                                  • API String ID: 0-915920326
                                                                                                                                                                                                                                                  • Opcode ID: 09e50f01378c5786bd647997ea62150fed71ed9975f21708a07f91aca3173ed6
                                                                                                                                                                                                                                                  • Instruction ID: 17d07df8ef73617d9320cac22e91ba4085746e541f04f369cda416e8c25b7d37
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09e50f01378c5786bd647997ea62150fed71ed9975f21708a07f91aca3173ed6
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D18159379256508BCA288A185484B1D76959BD53A4F368B1FDC22EF3E0C73ADC46DBC3
                                                                                                                                                                                                                                                  Function 009BA36B Relevance: 9.0, Strings: 7, Instructions: 230COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: @\$A\$A\$A\$"!-$"!-$"!-
                                                                                                                                                                                                                                                  • API String ID: 0-1374745079
                                                                                                                                                                                                                                                  • Opcode ID: 4571e30a7c4d7844c5ddf9adff8cc5ca0963d910b6c1b576e5a54b6ba0845311
                                                                                                                                                                                                                                                  • Instruction ID: fb72cee66e1dcf7fd133837de994547b0f965ede9c53ee0e7cfcdb0599dac603
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4571e30a7c4d7844c5ddf9adff8cc5ca0963d910b6c1b576e5a54b6ba0845311
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C7142362192808B4D2CCA2C5BE50BD628BAFE6370B75891FE9138FBF4DB755C419943
                                                                                                                                                                                                                                                  Function 009CD4C0 Relevance: 8.1, Strings: 6, Instructions: 552COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: -'K`$.'K`$.'K`$.'K`$$\Z$$\Z
                                                                                                                                                                                                                                                  • API String ID: 0-1124325746
                                                                                                                                                                                                                                                  • Opcode ID: 137547043eb9930ea56bc72ec989a0a79fe2ac8c5542fd762bf6e39033250e63
                                                                                                                                                                                                                                                  • Instruction ID: 361eaee64c63f6e55fb4eb8c49e3b9a33d336d85369fd831d0595f595c2e4383
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 137547043eb9930ea56bc72ec989a0a79fe2ac8c5542fd762bf6e39033250e63
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39126136E071508F4F148A2C54D4FBDB7E59B49360B264A3EED12EB3A4C625CD85C783
                                                                                                                                                                                                                                                  Function 009C3460 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: ?B;$@B;$@B;$@B;$@B;
                                                                                                                                                                                                                                                  • API String ID: 0-1209347523
                                                                                                                                                                                                                                                  • Opcode ID: 68fdc71810ba22db76c6b906683a61385573b3d83975495b6f66b03dded9a7ca
                                                                                                                                                                                                                                                  • Instruction ID: 0d4963b22182c384b9252aa8d6d28a2b4073ffc42657fc198315e7603deace31
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68fdc71810ba22db76c6b906683a61385573b3d83975495b6f66b03dded9a7ca
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E632F63AB256449F4A18CA2899C4A6DB3979BD9330734CE0AE426CF7F4C734DE469743
                                                                                                                                                                                                                                                  Function 009C3FA0 Relevance: 6.8, Strings: 5, Instructions: 572COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: CyN$CyN$CyN$CyN$CyN
                                                                                                                                                                                                                                                  • API String ID: 0-4075027903
                                                                                                                                                                                                                                                  • Opcode ID: 8d3f10b1a82328d1a427d2fd0130b68a157e6b5d9bb80a97adea8954ce0ee14e
                                                                                                                                                                                                                                                  • Instruction ID: f7e01613f404f34949d486e073da64e1ae57c1be895260c1681c05976bd19074
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d3f10b1a82328d1a427d2fd0130b68a157e6b5d9bb80a97adea8954ce0ee14e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C12463AF657404B4F28C62996F4B2D629687DA3303758E0DE922CF7E4C729CD469283
                                                                                                                                                                                                                                                  Function 009D7350 Relevance: 6.6, Strings: 5, Instructions: 310COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: b~N$c~N$c~N$c~N$c~N
                                                                                                                                                                                                                                                  • API String ID: 0-1905032987
                                                                                                                                                                                                                                                  • Opcode ID: 83128ee5fd243e72ad680fcbe3800e5b208fb2dab6f87a6ca908a46a4b2f35f9
                                                                                                                                                                                                                                                  • Instruction ID: e45124c21e6c4bd008c3d64d28841b2b86acb29ee29a3aa277a54d20f988bec1
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83128ee5fd243e72ad680fcbe3800e5b208fb2dab6f87a6ca908a46a4b2f35f9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7A11B3629D6404B5F249BBCAAC412DF3969BE9320B64CE27ED15CB3E4FB34CD416642
                                                                                                                                                                                                                                                  Function 009BB964 Relevance: 6.5, Strings: 5, Instructions: 235COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: A\$A\$PbQ$"!-$"!-
                                                                                                                                                                                                                                                  • API String ID: 0-1954403065
                                                                                                                                                                                                                                                  • Opcode ID: b9df5c15b6449fc2658fc68ad8c3ed520cda19cb7066f23c9a977680582d3953
                                                                                                                                                                                                                                                  • Instruction ID: 62af6c85889d0568546e45bb3590ba1fe4817799ec7d83a5ff6bf3705e8fc5b4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9df5c15b6449fc2658fc68ad8c3ed520cda19cb7066f23c9a977680582d3953
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE7142362196804B4E5CCA2C5BE40BD225B9FDA330B358A1FD5174FBF8DB765C415907
                                                                                                                                                                                                                                                  Function 009DF751 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009DF841
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1974802433-0
                                                                                                                                                                                                                                                  • Opcode ID: fb578a13bffeaa224a3b2a1246edbd304c4a9943cbc28b7dca189b1bb4d3c3a9
                                                                                                                                                                                                                                                  • Instruction ID: 8d814a55b1b6a2a4f5ef46129e972ec65e96c02121d1437e62ae5742ed48f88d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb578a13bffeaa224a3b2a1246edbd304c4a9943cbc28b7dca189b1bb4d3c3a9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82711775D85158AFDF20AF34DCAABE9B7BCAB45300F1481EBE04A97311DA304E819F10
                                                                                                                                                                                                                                                  Function 009D96CF Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 009D96DB
                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 009D97A7
                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009D97C7
                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 009D97D1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 254469556-0
                                                                                                                                                                                                                                                  • Opcode ID: 2da1b5c4f3326eaa9f68f2d44afa8c9bb37887a509bca0ce1d825de834f57609
                                                                                                                                                                                                                                                  • Instruction ID: 22ab1d47ff92fab3f0b9c34e0fa382323c14fe62e5be46876294be9bdd1a334d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2da1b5c4f3326eaa9f68f2d44afa8c9bb37887a509bca0ce1d825de834f57609
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB3127B5D552189BDB10EFA4D9897CCBBB8FF08300F1081AAE54DAB350EB709A85CF05
                                                                                                                                                                                                                                                  Function 009D4CF0 Relevance: 4.8, APIs: 3, Instructions: 287COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009D4D86
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 4194217158-0
                                                                                                                                                                                                                                                  • Opcode ID: 10fe521fc5a25e35681ae0caf00ce51a26b3cb983fc11f1c736ae9db9499419d
                                                                                                                                                                                                                                                  • Instruction ID: 84a2f7c5e903b997b53c6837c5be72d1c62f4960b860e5ac7789ab34ff725a93
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10fe521fc5a25e35681ae0caf00ce51a26b3cb983fc11f1c736ae9db9499419d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED911A3A2A86404F5D289F2899C412D73E79AB6331B64CE27E426CF3F9DA34DD45C741
                                                                                                                                                                                                                                                  Function 009DB7BA Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 009DB8B2
                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 009DB8BC
                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 009DB8C9
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                                  • Opcode ID: 30733b4a812feb0ed735b985b906410fe8c16a0af8424323821d409deaaa549d
                                                                                                                                                                                                                                                  • Instruction ID: 09ae3b2c2d8c7074359c4100cf31210e30bdc388658ce37136beec6c9a2f3180
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30733b4a812feb0ed735b985b906410fe8c16a0af8424323821d409deaaa549d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7131C7749512189BCB21DF68DC897CDBBB8BF58310F5081DAE41DA7260E7709F819F45
                                                                                                                                                                                                                                                  Function 009D1387 Relevance: 4.2, Strings: 3, Instructions: 413COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: dUb$ dUb$ dUb
                                                                                                                                                                                                                                                  • API String ID: 0-1696577624
                                                                                                                                                                                                                                                  • Opcode ID: 8b2186901ba45038c0ba861e3e628ba597ccdf77c7dfeb2c9f4c4bc5f43c52f7
                                                                                                                                                                                                                                                  • Instruction ID: 2c56e574542f6489ed116d4b9cf2e03d375b80df9b3e028b77b4aea913d09175
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b2186901ba45038c0ba861e3e628ba597ccdf77c7dfeb2c9f4c4bc5f43c52f7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DD15D3FADC348AB5A38EA2856C407DB2C74BD9370F24C61BD8165FBE5E2278C459642
                                                                                                                                                                                                                                                  Function 009C4CE0 Relevance: 4.2, Strings: 3, Instructions: 404COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: Mnj$Mnj$Mnj
                                                                                                                                                                                                                                                  • API String ID: 0-3324928681
                                                                                                                                                                                                                                                  • Opcode ID: 36c55a763eca1b79df7f7bddfd616ba0b674d72895b2d10955bd3a14c1f43cc2
                                                                                                                                                                                                                                                  • Instruction ID: f7b8c1845e2e3787b20207170ed05b9976f2da356fff60d21e3466a731912f9a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 36c55a763eca1b79df7f7bddfd616ba0b674d72895b2d10955bd3a14c1f43cc2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FD17D75B29604CF591CC628A8E8B2D32E7679931077A4E1EE427CF3F1DA18ED819643
                                                                                                                                                                                                                                                  Function 009C7F74 Relevance: 4.0, Strings: 3, Instructions: 243COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: .Q_$i.^$j.^
                                                                                                                                                                                                                                                  • API String ID: 0-3437208586
                                                                                                                                                                                                                                                  • Opcode ID: 16e1395d7d06f983c0c23c0567392bad42f0e991d68edeeef6ad62cddded0608
                                                                                                                                                                                                                                                  • Instruction ID: 127aa22657d8d9f853475bdb43be0796aa724b011f2120ce4c0533896d201a85
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16e1395d7d06f983c0c23c0567392bad42f0e991d68edeeef6ad62cddded0608
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E816F35B191015B9B2CDA245CE8F3EF6CAAF95360B79491EE903CB7F0DA248D419743
                                                                                                                                                                                                                                                  Function 009BD07E Relevance: 4.0, Strings: 3, Instructions: 203COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: F- $XvIL$jiX
                                                                                                                                                                                                                                                  • API String ID: 0-1826392768
                                                                                                                                                                                                                                                  • Opcode ID: d21887ee9950f5ed077554f6556626a4449c10a55d864b27738f69b6033759a4
                                                                                                                                                                                                                                                  • Instruction ID: ca435df03d20270fc3ff2cbf7cac8ba4a1a604c5439edb5d1f0f523c04850b20
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d21887ee9950f5ed077554f6556626a4449c10a55d864b27738f69b6033759a4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B861DFB47162068B9E2C8A289FE85FC7AD59FD5330B35492EF4174BBF0D224BC804782
                                                                                                                                                                                                                                                  Function 009C8149 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: i.^$j.^
                                                                                                                                                                                                                                                  • API String ID: 0-1036069679
                                                                                                                                                                                                                                                  • Opcode ID: 006259f5ae901008f143750434f108846a29558ca54331087a73ff6431ab8919
                                                                                                                                                                                                                                                  • Instruction ID: 501c5fc137e7b9dce069bbd7d98b4001d068b4af028a7780251420b1e7fbcf09
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 006259f5ae901008f143750434f108846a29558ca54331087a73ff6431ab8919
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED818A36A195015F8A1CCA285CE8E3EF6CEAF96360B784A1DE513CB6F0CF248D459343
                                                                                                                                                                                                                                                  Function 009E5E42 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009E5D9D,?,?,00000008,?,?,009E596F,00000000), ref: 009E606F
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                                                                                                                                  • Opcode ID: 0997436a5185699eabf93e839044a21e284fa206def2851eccf386721435f80d
                                                                                                                                                                                                                                                  • Instruction ID: aaeeb841be2cb4d7228f5d123f7a9818429a1283f2f588aa02482aae0184156d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0997436a5185699eabf93e839044a21e284fa206def2851eccf386721435f80d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7B15E31510648DFD716CF29C48AB657BE0FF45369F258658E89ACF2A2C335ED82CB40
                                                                                                                                                                                                                                                  Function 009DF6A0 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 009DEB5E: HeapAlloc.KERNEL32(00000008,?,00000000,?,009DCD48,00000001,00000364,00000000,00000002,000000FF,?,?,009DE441,009DDCA0), ref: 009DEB9F
                                                                                                                                                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009DF841
                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 009DF935
                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009DF974
                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009DF9A7
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Find$CloseFile$AllocFirstHeapNext
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2701053895-0
                                                                                                                                                                                                                                                  • Opcode ID: 58e90680fe9aad77b3670976b825afdb233dc134a47431afa6d5520b3f749168
                                                                                                                                                                                                                                                  • Instruction ID: acfe54a85129f7b3c562fe407d5b40895ae9167c8e833d67a9b699ff44dcda3f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58e90680fe9aad77b3670976b825afdb233dc134a47431afa6d5520b3f749168
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C515875980108AFDB109F389CA6AFE77ADDF85314F54C1ABF45A97301EA308E429B20
                                                                                                                                                                                                                                                  Function 009D98F5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 009D990B
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2325560087-0
                                                                                                                                                                                                                                                  • Opcode ID: 8f96e1a643fb061db1fc65f07391a5940c916ab81a9382d4ceed2e42f4b5e0ed
                                                                                                                                                                                                                                                  • Instruction ID: ad24398778b0cbddbe87d3d7c0af8367f052225be6a29eb1743aeba2304f15e1
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f96e1a643fb061db1fc65f07391a5940c916ab81a9382d4ceed2e42f4b5e0ed
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC515DB2A152458BEB24CF59D8D57AAB7F8FB48314F28C42AD409EB3A4E374DD40DB50
                                                                                                                                                                                                                                                  Function 009D96C3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_000297F0,009D9145), ref: 009D96C8
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                                                  • Opcode ID: 15a3974dedcf4e5c3ef49ebe5eccd2189e94e8f64c57c4d92583543cae0c8582
                                                                                                                                                                                                                                                  • Instruction ID: 53849eedb3e793988e6e18071ba03d57e59076870e1347d8948a5e2db46319d9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15a3974dedcf4e5c3ef49ebe5eccd2189e94e8f64c57c4d92583543cae0c8582
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                  Function 009C2B07 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: ~bD`
                                                                                                                                                                                                                                                  • API String ID: 0-944831652
                                                                                                                                                                                                                                                  • Opcode ID: 3eec96031b8a4dc3dd594fd3ebb9ad68b5b42c43e4f1195b2253d2836bacdb80
                                                                                                                                                                                                                                                  • Instruction ID: 242ab54a2fbec2a30ec25b3c3fd31fb029f09b7485bb78bd4b22b535e918ce5b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3eec96031b8a4dc3dd594fd3ebb9ad68b5b42c43e4f1195b2253d2836bacdb80
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83718B36B295404B8A2CCF2D59D8B7C63D59B972207794E2FE413CF2E1DB15CD0A9203
                                                                                                                                                                                                                                                  Function 009C2BBB Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: ~bD`
                                                                                                                                                                                                                                                  • API String ID: 0-944831652
                                                                                                                                                                                                                                                  • Opcode ID: 4153a14317619c97360217991027748b7b7d18f36ca5b39bbe50987f4066a952
                                                                                                                                                                                                                                                  • Instruction ID: 96222147280de284791ba538827a12d0a728d5ead26eae694a4c67c165bb73f6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4153a14317619c97360217991027748b7b7d18f36ca5b39bbe50987f4066a952
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED5148B9B156009FCA14DB289DC5F2973A5DB9A320F28896EE81ACF3E5D725CC45C603
                                                                                                                                                                                                                                                  Function 009C2C60 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: ~bD`
                                                                                                                                                                                                                                                  • API String ID: 0-944831652
                                                                                                                                                                                                                                                  • Opcode ID: 59ad8eb1f175d001606419b04697c16034b64c994e4add80e58e4b2f2ce9ecc1
                                                                                                                                                                                                                                                  • Instruction ID: 8d25e5a39383615e31619b85f9d190b2c2fa627fc26845930a5136a41f20431c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59ad8eb1f175d001606419b04697c16034b64c994e4add80e58e4b2f2ce9ecc1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F412ABAB156009FC614DB389CD5F2973A5EB99320F298929E806CB3A5D735CD45C603
                                                                                                                                                                                                                                                  Function 009BD6BB Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: XvIL
                                                                                                                                                                                                                                                  • API String ID: 0-558896452
                                                                                                                                                                                                                                                  • Opcode ID: bbe0fcd1bdbcf079d89501dea4046b0e42cb4efccd5923fcb1ae5fa05485ccdf
                                                                                                                                                                                                                                                  • Instruction ID: 698db90c041a9231d03592715083610683c02a44b9e7045b7782cb6b0880f7ae
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bbe0fcd1bdbcf079d89501dea4046b0e42cb4efccd5923fcb1ae5fa05485ccdf
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A416BB8651206AFDF289F14CE92BB87BA5EF85334F14846DF4066B7A5D731BC408782
                                                                                                                                                                                                                                                  Function 009BCD0A Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: XvIL
                                                                                                                                                                                                                                                  • API String ID: 0-558896452
                                                                                                                                                                                                                                                  • Opcode ID: 423016fc1c62ecf9c8c030fb2b59692a945722f55d3befd4ac768fa7fe8c51f0
                                                                                                                                                                                                                                                  • Instruction ID: 399864b9f78915ad2cbee63172b878dcc382c44ba0363a5e5a605777ca1fad12
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 423016fc1c62ecf9c8c030fb2b59692a945722f55d3befd4ac768fa7fe8c51f0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1318BB4656202AFCE2C9F149AD5ABC77A5AF46334F14406DF4076B7B2D730AC408782
                                                                                                                                                                                                                                                  Function 009BE359 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: XvIL
                                                                                                                                                                                                                                                  • API String ID: 0-558896452
                                                                                                                                                                                                                                                  • Opcode ID: fde584950af64acf36b759fda4067cafffa02af2d5f2a2730314dd0e1d7368ea
                                                                                                                                                                                                                                                  • Instruction ID: c12d8797f7e6d61c2c1fbaf7fae85cf9363c235224741346bdf35aefdf80a33d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fde584950af64acf36b759fda4067cafffa02af2d5f2a2730314dd0e1d7368ea
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69312CB4541206ABDE3C5F149AD5AFC7BA5AF95334F24446EF4072BBA5D630BC808783
                                                                                                                                                                                                                                                  Function 009BE946 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: XvIL
                                                                                                                                                                                                                                                  • API String ID: 0-558896452
                                                                                                                                                                                                                                                  • Opcode ID: 0647d5972ff389743fbf692e53fa83b1820c739bfd51ace7dc64fdddbdae1f43
                                                                                                                                                                                                                                                  • Instruction ID: 5901a3fe964f65fee10e2b308617dd0cf7e6a037a25301486bfe8dd1bec4c2b9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0647d5972ff389743fbf692e53fa83b1820c739bfd51ace7dc64fdddbdae1f43
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84317BB4642206AFDE2C5F149AD6AFC7B65AF55334F24406EF4072BBA5D231BC808793
                                                                                                                                                                                                                                                  Function 009DCB30 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HeapProcess
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 54951025-0
                                                                                                                                                                                                                                                  • Opcode ID: 1f0f4b97d0f0744dd7f9aec64d7a9ddfa22b3a1424004fd6af0d93569b158374
                                                                                                                                                                                                                                                  • Instruction ID: 3e3beb8ee9552c61cba58129619d6c3542ce3bbcb87796e954458f2487dfac38
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f0f4b97d0f0744dd7f9aec64d7a9ddfa22b3a1424004fd6af0d93569b158374
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BA011B022A280CB8B808F32AA882083AE8AA002C0300C028A000C8220EA288C02AF00
                                                                                                                                                                                                                                                  Function 009C5610 Relevance: .6, Instructions: 552COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 4507d941b74fbcedfe1bf333e44d82ba80c1f0c78384c309babbf051fd1813c1
                                                                                                                                                                                                                                                  • Instruction ID: fb3ff51a0988b789beb16bfa4b0ab8899b57d6b87185349a84d4b536e4ffe522
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4507d941b74fbcedfe1bf333e44d82ba80c1f0c78384c309babbf051fd1813c1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42124E35F19A818B8B28CE2845D4F3D72D6AB84350BE7491EE857DB3B0DA25ECC19743
                                                                                                                                                                                                                                                  Function 009D4190 Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 0255760609a1c2602843116fa4ed62c529c28b77a98116ceb4a83611efe4876e
                                                                                                                                                                                                                                                  • Instruction ID: 6c635e9e8b17510ddf999300457ee71ffee191103e87433c6fe59666c3466f52
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0255760609a1c2602843116fa4ed62c529c28b77a98116ceb4a83611efe4876e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1E14B3A26C3414F4928CA3869C81397396A7B5371B34CA13F922DF3E5E679DD86D242
                                                                                                                                                                                                                                                  Function 009D6CF0 Relevance: .4, Instructions: 395COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: dc9f704e122e20f65832b6647a0aa93eb08e7f0858680e37764d7adce56c5879
                                                                                                                                                                                                                                                  • Instruction ID: 13dc49dab46b0d2528d8b92a160da0b8f08a8b24f4a56fb70dacce60ef55f63b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc9f704e122e20f65832b6647a0aa93eb08e7f0858680e37764d7adce56c5879
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51D1453A3AC2408B5E28EA78E9D412DB2C79BD6330B24CB17E515CF3E5F639CD458642
                                                                                                                                                                                                                                                  Function 009B5930 Relevance: .4, Instructions: 361COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 04b23aa6d17714c57aed7f595a6815a24ff0816c12334a7863db3aa8ad61ce3d
                                                                                                                                                                                                                                                  • Instruction ID: 081f2c82d354aaf803be038ca81006b366005b5cebf272ef1b99c63869e5ab28
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04b23aa6d17714c57aed7f595a6815a24ff0816c12334a7863db3aa8ad61ce3d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20C13B36319A408B4E28CB2856C87AD73979BD57307B68F16D422CF3E8DB34CD469682
                                                                                                                                                                                                                                                  Function 009D6820 Relevance: .3, Instructions: 282COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 31005afd91a11407e737fc28dd85f0039ca8dfaaeb08a09b0a5b681415ad0511
                                                                                                                                                                                                                                                  • Instruction ID: 72fa291fb8e9901eb35048e3c7bff65aac405b608f0779108e237642032ba004
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31005afd91a11407e737fc28dd85f0039ca8dfaaeb08a09b0a5b681415ad0511
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34A16A372483858B863C8F68A9F463E7657EBD1320B65C60FC8934FBE4DA795C059682
                                                                                                                                                                                                                                                  Function 009C4930 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d177ef8562795c8194c90930ce71ca31a987ed2ee54c89166d5b02257f2201cd
                                                                                                                                                                                                                                                  • Instruction ID: 8a4d3ad7b2d7f4707e6de391083be53788ceecc0a3bfc8935603c160f24cc46f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d177ef8562795c8194c90930ce71ca31a987ed2ee54c89166d5b02257f2201cd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61715A3AF393148B4A18CA3869E4B7E76A65FA5720B648A1AE456CB3F5D731CC049243
                                                                                                                                                                                                                                                  Function 009BA2F2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 163fileCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 009BA96A
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                                  • String ID: A\$A\$A\$U<_k$x"$x"$"!-$"!-
                                                                                                                                                                                                                                                  • API String ID: 823142352-2094675021
                                                                                                                                                                                                                                                  • Opcode ID: 4ccd9471b7759d7eb5e793d090d5610018de8dad7e92bdf95af4ff52b0f0fbc7
                                                                                                                                                                                                                                                  • Instruction ID: 4840d214457719712430904ec65b2f129846d71b69efe9eb4698908c7303ae54
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ccd9471b7759d7eb5e793d090d5610018de8dad7e92bdf95af4ff52b0f0fbc7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E5179322192819BCE2CCA2C5BE52BC228B6FE6330F34890FE5174BAF4CB654C816507
                                                                                                                                                                                                                                                  Function 009E25E3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 009E2702
                                                                                                                                                                                                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 009E2810
                                                                                                                                                                                                                                                  • CatchIt.LIBVCRUNTIME ref: 009E2861
                                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 009E2962
                                                                                                                                                                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 009E297D
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                                                  • API String ID: 4119006552-393685449
                                                                                                                                                                                                                                                  • Opcode ID: 396079b4286b9b154e7919a666075ec472f3222046cbadbd017f339d091ff6a5
                                                                                                                                                                                                                                                  • Instruction ID: c252b1e24a4cbc589350549404eba3c455bde0d56cadb0344c0c6335cce8d87e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 396079b4286b9b154e7919a666075ec472f3222046cbadbd017f339d091ff6a5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8B19C7180024AEFCF1ADFA6C980AAEB7BDFF54310F14416AE8156B212D331EE51CB91
                                                                                                                                                                                                                                                  Function 009E3F66 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(02C75E50,02C75E50,00000000,7FFFFFFF,?,009E3F51,02C75E50,02C75E50,00000000,02C75E50,?,?,?,?,02C75E50,00000000), ref: 009E400C
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 009E40C7
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 009E4156
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E41A1
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E41A7
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E41DD
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E41E3
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E41F3
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 127012223-0
                                                                                                                                                                                                                                                  • Opcode ID: 0dd6fdcb6c3c22f42961025e3d88b2f18fb62ea00eb941c302a54a3ad69194c2
                                                                                                                                                                                                                                                  • Instruction ID: f4b2701d94e4f580cd96ccd0d688a9ecd2a8da871d7a784322b732738110581b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0dd6fdcb6c3c22f42961025e3d88b2f18fb62ea00eb941c302a54a3ad69194c2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3715C32D08385ABDF239F66CC41BAE77BEAFA9310F194459EA00AB281DB35DD418750
                                                                                                                                                                                                                                                  Function 009D4910 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009D49B7
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                  • String ID: (^Hx$(^Hx$(^Hx
                                                                                                                                                                                                                                                  • API String ID: 2659868963-1348055467
                                                                                                                                                                                                                                                  • Opcode ID: e9b2a69e86c96362dcdcbfacd2e9d1ab056cc512a8ccff5b3fc0c736b4190e24
                                                                                                                                                                                                                                                  • Instruction ID: b786e0477061027b405355b1c2a9e1c353c8ddaf4986348ce26ed46ae5912809
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9b2a69e86c96362dcdcbfacd2e9d1ab056cc512a8ccff5b3fc0c736b4190e24
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1814D392983004F8A24CB2999D423E72D6A799730F68CF17E495CF7E0EB799C449742
                                                                                                                                                                                                                                                  Function 009D9E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009D9E97
                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 009D9E9F
                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009D9F28
                                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 009D9F53
                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009D9FA8
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                  • Opcode ID: 6f6c5e19bc56db2260c69ace41fcd32f8586ea0af75f054f2ae33a0907890db8
                                                                                                                                                                                                                                                  • Instruction ID: c6df2232228a701096d7a8addaa8cbea8fb9f53649d1ac874d89ff076e0e464c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f6c5e19bc56db2260c69ace41fcd32f8586ea0af75f054f2ae33a0907890db8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F41AF34A44259ABCF10EF6CD880B9EBBA5AF85314F14C156F8149B392D731EE01CB91
                                                                                                                                                                                                                                                  Function 009DC8BA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,C08A5289,?,009DC9C9,?,009B782F,00000000,00000000), ref: 009DC97B
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                  • Opcode ID: c9cbeed89918db6b695b189d72dcfdada3cc479d4ee8d7ffa6f6ab45eb97ad33
                                                                                                                                                                                                                                                  • Instruction ID: 66a83e24d1409f536e13252f7c4ac6aa1743ce3f026f7058a0544a662e4eddad
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9cbeed89918db6b695b189d72dcfdada3cc479d4ee8d7ffa6f6ab45eb97ad33
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 052157F1E98212A7CB21AB659C90B5B371CAF81BA0F208622F955BB3C0D730FD01D6D1
                                                                                                                                                                                                                                                  Function 009DC15E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,009DC155,009D9C3D,009D9834), ref: 009DC16C
                                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009DC17A
                                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009DC193
                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,009DC155,009D9C3D,009D9834), ref: 009DC1E5
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                                  • Opcode ID: 76dfc59a7bf985a58d17938167a2c9bddfec54119154084585c1bfdbaa5562fc
                                                                                                                                                                                                                                                  • Instruction ID: 3b5980a8cb47b57bd4344be61ef45c5ebb64b2f8a828d9ace45fdb57aa5367cb
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76dfc59a7bf985a58d17938167a2c9bddfec54119154084585c1bfdbaa5562fc
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F40190B215D3735EEE1517B56CC2E1A2748DB91B79720423BF428853E2EF514C00E554
                                                                                                                                                                                                                                                  Function 009DFAD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  • C:\Users\user\Desktop\aqbjn3fl.exe, xrefs: 009DFAF0
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: C:\Users\user\Desktop\aqbjn3fl.exe
                                                                                                                                                                                                                                                  • API String ID: 0-1266579001
                                                                                                                                                                                                                                                  • Opcode ID: 6de56e3b82d097439ad9a528eb05641e23434a2782c54f57bf70e5b112b61d8d
                                                                                                                                                                                                                                                  • Instruction ID: 34075c86bb6394f81f0d1b65a61f6096e0b5b793138b5f7e46244cfac6614692
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6de56e3b82d097439ad9a528eb05641e23434a2782c54f57bf70e5b112b61d8d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7219F71680206BF9B20AFA5DCA3D6A77ACAF84364710C537F91E8B351E734EC4097A0
                                                                                                                                                                                                                                                  Function 009DA945 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C08A5289,?,?,00000000,009E63CE,000000FF,?,009DAA06,?,?,009DAAA2,788496A7), ref: 009DA97A
                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009DA98C
                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,009E63CE,000000FF,?,009DAA06,?,?,009DAAA2,788496A7), ref: 009DA9AE
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                  • Opcode ID: 03e63a7a483130a444534f32d3ae5dc517ac12f9553a6a98da6e676d6a347e2f
                                                                                                                                                                                                                                                  • Instruction ID: 5eeab7ed1a8a938fdd05bcec7fe594f55f3973b4ffc5ee50f5e297b8e4b9a0af
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03e63a7a483130a444534f32d3ae5dc517ac12f9553a6a98da6e676d6a347e2f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14012671A54299EFDB028F40CC49FAEBBB8FB44B15F004626F821A63E0DB749C00CB91
                                                                                                                                                                                                                                                  Function 009E2A08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,009E290E,?,?,00000000,00000000,00000000,?), ref: 009E2A2D
                                                                                                                                                                                                                                                  • CatchIt.LIBVCRUNTIME ref: 009E2B13
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CatchEncodePointer
                                                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                                                  • API String ID: 1435073870-2084237596
                                                                                                                                                                                                                                                  • Opcode ID: f59ae0f04ca5259ec5faae36d13f87805ac2247026717fb7e1e70d9db9dc169b
                                                                                                                                                                                                                                                  • Instruction ID: 7d96d1b33e07dd65d7b5a8941a00d47eb62552b0d8542e669d708044a81a24a3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f59ae0f04ca5259ec5faae36d13f87805ac2247026717fb7e1e70d9db9dc169b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C416871900249AFCF26DF95CD81AEEBBB9FF48304F18806AF904A7252D375AD50DB91
                                                                                                                                                                                                                                                  Function 009E0C42 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(788496A7,00000000,00000800,?,009E0CDE,?,?,?,?,?,?,009E0B26,00000000,FlsAlloc,009E8060,009E8068), ref: 009E0C4F
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,009E0CDE,?,?,?,?,?,?,009E0B26,00000000,FlsAlloc,009E8060,009E8068,?,?,009DC10C), ref: 009E0C59
                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(788496A7,00000000,00000000,?,788496A7,?,?,?,?,009DBDAC,?,?,009C3066,?,00000000,788496A7), ref: 009E0C81
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                  • Opcode ID: f9f3bfb887ca9e8092ee2bf5543fdbd234bf639805c837c01febd44f467c315d
                                                                                                                                                                                                                                                  • Instruction ID: 52325b3c5bc9913cd79ab86c97193e8619a04413014817fb84f064ae18ab717c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9f3bfb887ca9e8092ee2bf5543fdbd234bf639805c837c01febd44f467c315d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51E04870694244FBDB111BA2DD47B1A3F599B80B40F244120FA8CAC1E1E7A2FC5195D9
                                                                                                                                                                                                                                                  Function 009E159F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(C08A5289,00000000,00000000,?), ref: 009E1602
                                                                                                                                                                                                                                                    • Part of subcall function 009E012E: WideCharToMultiByte.KERNEL32(?,00000000,009C3066,00000000,00000000,00000000,000000FF,?,?,00000000,009C3066,?,009DC091,?,00000000,?), ref: 009E018F
                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 009E1854
                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 009E189A
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009E193D
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2112829910-0
                                                                                                                                                                                                                                                  • Opcode ID: bee3687920d1797ed91c9170aa3dee52fc4c3ce3363da4659d4294f0b7c9fd89
                                                                                                                                                                                                                                                  • Instruction ID: e5005d7a1525dd526dc44ecc044cca91dc318d2661f3ff04dbad6bf136234f6b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bee3687920d1797ed91c9170aa3dee52fc4c3ce3363da4659d4294f0b7c9fd89
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26D17CB5D042889FCB16CFE9D890AEDBBB9FF49310F28452AE455EB352D630AD41CB50
                                                                                                                                                                                                                                                  Function 009E240C Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AdjustPointer
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1740715915-0
                                                                                                                                                                                                                                                  • Opcode ID: 386ab643bd86498f53e5cae39d3e6168fae8621bcacf20178ddf18a7de8f45f0
                                                                                                                                                                                                                                                  • Instruction ID: 9482c82e9f4d60ae32c9a6feff8b756ecf2f9bdab458d55fe95a552a617c1282
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 386ab643bd86498f53e5cae39d3e6168fae8621bcacf20178ddf18a7de8f45f0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB512772644686DFDB2A9F12D951B7AB7ADFF40310F24442DF846972A1EB31EC40D790
                                                                                                                                                                                                                                                  Function 009DF52E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 009E012E: WideCharToMultiByte.KERNEL32(?,00000000,009C3066,00000000,00000000,00000000,000000FF,?,?,00000000,009C3066,?,009DC091,?,00000000,?), ref: 009E018F
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,009DF8D4,?,?,?,00000000), ref: 009DF592
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009DF599
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,009DF8D4,?,?,00000000,?,?,?,00000000,00000000,?,009DF8D4,?,?,?,00000000), ref: 009DF5D3
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009DF5DA
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1913693674-0
                                                                                                                                                                                                                                                  • Opcode ID: a317586bf46e9fdd55d2e2c96d6cee2b9c046a0549e9a20fcb6ace79cffe4414
                                                                                                                                                                                                                                                  • Instruction ID: 9fc9dc228bff8ee323b5a3d5019edfe9db027e44c33787799ad11fc5d0f5654a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a317586bf46e9fdd55d2e2c96d6cee2b9c046a0549e9a20fcb6ace79cffe4414
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3721D475684205AFDB10AF65E89297BB7ACFF80364714C53BF92A9B311E730ED409760
                                                                                                                                                                                                                                                  Function 009E022A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 009E0232
                                                                                                                                                                                                                                                    • Part of subcall function 009E012E: WideCharToMultiByte.KERNEL32(?,00000000,009C3066,00000000,00000000,00000000,000000FF,?,?,00000000,009C3066,?,009DC091,?,00000000,?), ref: 009E018F
                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009E026A
                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009E028A
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 158306478-0
                                                                                                                                                                                                                                                  • Opcode ID: 5bcbb0f445cda887ee774e346dccfd0fbc036a46e23c47968a32eeb51901b51e
                                                                                                                                                                                                                                                  • Instruction ID: f3f97f9cc7fe610176eaa8417780f37e8a749ba65caec211bb4293d756301f52
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bcbb0f445cda887ee774e346dccfd0fbc036a46e23c47968a32eeb51901b51e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 731166F290A6867EA71227739CCDC7F699CCEC63A87000021F902D6301EAB4DD819170
                                                                                                                                                                                                                                                  Function 009E4420 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000), ref: 009E4437
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000,?,?,?,009E12D7,00000000), ref: 009E4443
                                                                                                                                                                                                                                                    • Part of subcall function 009E44A0: CloseHandle.KERNEL32(FFFFFFFE,009E4453,?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000,?,?), ref: 009E44B0
                                                                                                                                                                                                                                                  • ___initconout.LIBCMT ref: 009E4453
                                                                                                                                                                                                                                                    • Part of subcall function 009E4475: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,009E4411,009E3BEF,?,?,009E1991,?,00000000,00000000,?), ref: 009E4488
                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000,?), ref: 009E4468
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                                                                                                  • Opcode ID: 7ca164bed6218933b54e5948ec24d4f21324904785a5dae8d435fb7a8412ad6b
                                                                                                                                                                                                                                                  • Instruction ID: 03f3d2302df40bcd8bebf8db15955755eb8e74146d4049c308592abf015e92a4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ca164bed6218933b54e5948ec24d4f21324904785a5dae8d435fb7a8412ad6b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1F01C36515294BBCF231FD2EC48A993F6BEF487A1B014010FA6889270E732CC21EB90
                                                                                                                                                                                                                                                  Function 009E227C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 009E2285
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1511460050.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511440506.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511494690.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511510689.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511528794.00000000009EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511549299.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1511570424.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                                                                                  • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                  • Opcode ID: 94024c18b831c8219928743c753b0bd03d0c391a15678ef90d4ad782970b0bc5
                                                                                                                                                                                                                                                  • Instruction ID: 03b7ccf173ae900599566c9ba4062f4e37e510d10444d69be67fd6d1427e22e7
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94024c18b831c8219928743c753b0bd03d0c391a15678ef90d4ad782970b0bc5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7431B372400295EBCF278F52CC4496E7B6EFF09B15B18865AF95849221D33ACC62DF91

                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                  Execution Coverage:1.7%
                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                  Signature Coverage:49.1%
                                                                                                                                                                                                                                                  Total number of Nodes:57
                                                                                                                                                                                                                                                  Total number of Limit Nodes:4
                                                                                                                                                                                                                                                  execution_graph 24886 408f20 24887 408f2f 24886->24887 24888 409146 ExitProcess 24887->24888 24889 408f37 SHGetSpecialFolderPathW 24887->24889 24890 408f4d 24889->24890 24891 40913c 24890->24891 24892 408f55 GetCurrentThreadId GetCurrentProcessId 24890->24892 24891->24888 24893 408f81 GetForegroundWindow 24892->24893 24894 408f7d 24892->24894 24895 40903a 24893->24895 24894->24893 24895->24891 24897 40ce90 CoInitializeEx 24895->24897 24898 40cec3 CoInitializeSecurity 24899 4409e0 24901 440a00 24899->24901 24900 440b4e 24901->24900 24903 43e470 LdrInitializeThunk 24901->24903 24903->24900 24904 40a874 24905 40a970 24904->24905 24905->24905 24908 40b6e0 24905->24908 24911 40b770 24908->24911 24910 40a9db 24911->24910 24912 43e3d0 24911->24912 24913 43e456 24912->24913 24914 43e44b 24912->24914 24915 43e3fa RtlReAllocateHeap 24912->24915 24916 43e3ec 24912->24916 24919 43bab0 24913->24919 24914->24910 24915->24914 24916->24913 24916->24915 24920 43bb61 24919->24920 24921 43bac8 RtlFreeHeap 24919->24921 24920->24914 24921->24920 24923 440e30 24924 440e60 24923->24924 24927 440ebe 24924->24927 24929 43e470 LdrInitializeThunk 24924->24929 24925 440f7e 24927->24925 24930 43e470 LdrInitializeThunk 24927->24930 24929->24927 24930->24925 24931 40cef5 24932 40cf10 24931->24932 24935 439310 24932->24935 24934 40cf48 24937 439370 CoCreateInstance 24935->24937 24938 439971 24937->24938 24939 43941d SysAllocString 24937->24939 24940 439985 GetVolumeInformationW 24938->24940 24942 4394cf 24939->24942 24955 4399a3 24940->24955 24943 4394d7 CoSetProxyBlanket 24942->24943 24944 43995d SysFreeString 24942->24944 24945 439953 24943->24945 24946 4394f7 SysAllocString 24943->24946 24944->24938 24945->24944 24948 4395d0 24946->24948 24948->24948 24949 439615 SysAllocString 24948->24949 24952 43963b 24949->24952 24950 439941 SysFreeString SysFreeString 24950->24945 24951 439931 24951->24950 24952->24950 24952->24951 24953 439685 VariantInit 24952->24953 24956 4396e0 24953->24956 24954 439920 VariantClear 24954->24951 24955->24934 24956->24954

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 00439310 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 660memorycomCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 0 439310-439365 1 439370-43939e 0->1 1->1 2 4393a0-4393ba 1->2 4 4393c7-439417 CoCreateInstance 2->4 5 4393bc 2->5 6 439975-4399a1 call 4400a0 GetVolumeInformationW 4->6 7 43941d-439454 4->7 5->4 12 4399a3 6->12 13 4399a5-4399c6 call 41fa80 6->13 9 439460-43949d 7->9 9->9 11 43949f-4394d1 SysAllocString 9->11 17 4394d7-4394f1 CoSetProxyBlanket 11->17 18 43995d-439971 SysFreeString 11->18 12->13 19 4399d0-4399d8 13->19 20 439953-439959 17->20 21 4394f7-439517 17->21 18->6 19->19 22 4399da-4399dc 19->22 20->18 23 439520-43953f 21->23 25 4399ee-439a1f call 41fa80 22->25 26 4399de-4399eb call 408870 22->26 23->23 27 439541-4395c2 SysAllocString 23->27 34 439a20-439a28 25->34 26->25 29 4395d0-439613 27->29 29->29 32 439615-43963f SysAllocString 29->32 37 439941-439950 SysFreeString * 2 32->37 38 439645-43966b 32->38 34->34 35 439a2a-439a2c 34->35 39 439a3e-439a6d call 41fa80 35->39 40 439a2e-439a3b call 408870 35->40 37->20 46 439933-43993d 38->46 47 439671-439674 38->47 48 439a70-439a78 39->48 40->39 46->37 47->46 49 43967a-43967f 47->49 48->48 50 439a7a-439a7c 48->50 49->46 51 439685-4396d5 VariantInit 49->51 53 439a8e-439abb call 41fa80 50->53 54 439a7e-439a8b call 408870 50->54 55 4396e0-43972c 51->55 61 439ac0-439ac8 53->61 54->53 55->55 58 43972e-43973c 55->58 63 439740-439742 58->63 61->61 62 439aca-439acc 61->62 64 439ade-439ae5 62->64 65 439ace-439adb call 408870 62->65 66 439920-439931 VariantClear 63->66 67 439748-43974e 63->67 65->64 66->46 67->66 69 439754-43975e 67->69 72 439760-439765 69->72 73 43979d 69->73 75 43977c-439780 72->75 74 43979f-4397b7 call 4086e0 73->74 84 4398d4-4398e5 74->84 85 4397bd-4397c7 74->85 76 439782-43978b 75->76 77 439770 75->77 79 439792-439796 76->79 80 43978d-439790 76->80 82 439771-43977a 77->82 79->82 83 439798-43979b 79->83 80->82 82->74 82->75 83->82 87 4398e7 84->87 88 4398ec-4398f8 84->88 85->84 86 4397cd-4397d5 85->86 89 4397e0-4397ea 86->89 87->88 90 4398fa 88->90 91 4398ff-43991d call 408710 call 4086f0 88->91 93 439800-439806 89->93 94 4397ec-4397f1 89->94 90->91 91->66 97 439824-439830 93->97 98 439808-43980b 93->98 96 439880-439886 94->96 102 439888-43988e 96->102 99 439832-439835 97->99 100 43989a-4398a2 97->100 98->97 103 43980d-439822 98->103 99->100 104 439837-43987f 99->104 107 4398a4-4398a6 100->107 108 4398a8-4398ab 100->108 102->84 106 439890-439892 102->106 103->96 104->96 106->89 109 439898 106->109 107->102 110 4398d0-4398d2 108->110 111 4398ad-4398ce 108->111 109->84 110->96 111->96
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00443678,00000000,00000001,00443668,00000000), ref: 0043940C
                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(81578756), ref: 004394A4
                                                                                                                                                                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004394E9
                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(7F0F7903), ref: 00439546
                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(F7ABF957), ref: 0043961A
                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 0043968A
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                                                                                                                                                  • String ID: ()$0}bc$C$\
                                                                                                                                                                                                                                                  • API String ID: 65563702-1726517784
                                                                                                                                                                                                                                                  • Opcode ID: 0f1222683775ae3621506ccc1600d945d457569e17fe956ef9e8c073e5d335ed
                                                                                                                                                                                                                                                  • Instruction ID: 106669d51836f7a9ecf543ef8e50fb3cc3e0c611a8505fe8182dd2d3ee5b5c80
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f1222683775ae3621506ccc1600d945d457569e17fe956ef9e8c073e5d335ed
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 872260B2A083009BD714DF24C845B6BBBA6EFCA714F18492DF4859B3C1D7B8D905CB96
                                                                                                                                                                                                                                                  Function 0040CEF5 Relevance: 12.8, Strings: 10, Instructions: 293COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 112 40cef5-40cf0f 113 40cf10-40cf2a 112->113 113->113 114 40cf2c-40cf73 call 408ea0 call 439310 113->114 119 40cf80-40cf9a 114->119 119->119 120 40cf9c-40d019 119->120 121 40d020-40d088 120->121 121->121 122 40d08a-40d09b 121->122 123 40d0bd-40d0c1 122->123 124 40d09d-40d0af 122->124 126 40d0c5-40d0cd 123->126 125 40d0b0-40d0b9 124->125 125->125 127 40d0bb 125->127 128 40d0db-40d0e8 126->128 129 40d0cf 126->129 127->126 131 40d0ea-40d0f1 128->131 132 40d10b-40d113 128->132 130 40d0d0-40d0d9 129->130 130->128 130->130 133 40d100-40d109 131->133 134 40d115-40d116 132->134 135 40d12b-40d255 132->135 133->132 133->133 136 40d120-40d129 134->136 137 40d260-40d27a 135->137 136->135 136->136 137->137 138 40d27c-40d2a7 137->138 139 40d2b0-40d2fe 138->139 139->139 140 40d300-40d32d call 40bdb0 139->140 142 40d332-40d34c 140->142
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: +"#R$-0p#$.$["$39my$57B63D703EDF52FC63CFCF7E6C45F838$6(S"$^GFA$c^.z$lev-tolstoi.com$~sx=
                                                                                                                                                                                                                                                  • API String ID: 0-506659880
                                                                                                                                                                                                                                                  • Opcode ID: a663be38480a963e4d2d2571437e5508161d23da234ca0242be0d579f13188ba
                                                                                                                                                                                                                                                  • Instruction ID: a1ac22f4ca37b83a265b626796eb772592280569a4fa714ec55360a40b349c43
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a663be38480a963e4d2d2571437e5508161d23da234ca0242be0d579f13188ba
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84A1E27058C3C28FD3358F6585917EBBBE1AF92314F18997DC4D99B281DB78040A8B97
                                                                                                                                                                                                                                                  Function 00408F20 Relevance: 7.7, APIs: 5, Instructions: 171threadCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 200 408f20-408f31 call 43ced0 203 409146-409148 ExitProcess 200->203 204 408f37-408f4f SHGetSpecialFolderPathW call 436070 200->204 207 409141 call 43e3b0 204->207 208 408f55-408f7b GetCurrentThreadId GetCurrentProcessId 204->208 207->203 210 408f81-409034 GetForegroundWindow 208->210 211 408f7d-408f7f 208->211 212 4090d9-409135 call 40a2f0 210->212 213 40903a-4090aa 210->213 211->210 212->207 218 409137 call 40ce90 212->218 214 4090b0-4090d7 213->214 215 4090ac-4090ae 213->215 214->212 215->214 220 40913c call 40bd80 218->220 220->207
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408F42
                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00408F55
                                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00408F5D
                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 0040902C
                                                                                                                                                                                                                                                    • Part of subcall function 0040CE90: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CEA3
                                                                                                                                                                                                                                                    • Part of subcall function 0040BD80: FreeLibrary.KERNEL32(00409141), ref: 0040BD86
                                                                                                                                                                                                                                                    • Part of subcall function 0040BD80: FreeLibrary.KERNEL32 ref: 0040BDA7
                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00409148
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3072701918-0
                                                                                                                                                                                                                                                  • Opcode ID: 64b5476fa3e9b2d508b38f129390cd5264c67d7df292d80a79dc2a0f4b5f57c9
                                                                                                                                                                                                                                                  • Instruction ID: bdcd889f703e52059c7ab9e58482e3198cbf6fc767073c2214d38ecf418ed339
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64b5476fa3e9b2d508b38f129390cd5264c67d7df292d80a79dc2a0f4b5f57c9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A5167B7B443044BD318AEA6CC863AAF9979BC8315F0E903D5980DB391EEBD9C0541C8
                                                                                                                                                                                                                                                  Function 0040BDB0 Relevance: 7.6, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 222 40bdb0-40c00f 223 40c010-40c02c 222->223 223->223 224 40c02e-40c03a 223->224 225 40c03d-40c061 224->225
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: AK$J's)$m?i!$u#{%$~+*-$[:]
                                                                                                                                                                                                                                                  • API String ID: 0-2167574748
                                                                                                                                                                                                                                                  • Opcode ID: 8b7eb5dfa94aac8796ead674e4283efcaa36dc3fedf3aa51b2c943f31bb2597f
                                                                                                                                                                                                                                                  • Instruction ID: 268bcdcb352750d0d86359c6fec1c620c05b0e096526288d619aa41b5e38ca3b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b7eb5dfa94aac8796ead674e4283efcaa36dc3fedf3aa51b2c943f31bb2597f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C251DDB45593848BE3748F118482B8FBBB1FB92300F548A1CE6D86B794DBB84446CF97
                                                                                                                                                                                                                                                  Function 0043E470 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 283 43e470-43e4a2 LdrInitializeThunk
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LdrInitializeThunk.NTDLL(0041173D), ref: 0043E49E
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                  • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                  • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                                  Function 0040A874 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e9a25596d5e3cfe4fe0e5db7da74b03c59e9ab60d04f24d3b65b32f0a3db3b2c
                                                                                                                                                                                                                                                  • Instruction ID: 4930346e371a7fe24dc622efad621cb1fdb8e28414ae90ad1b2e80d729ef0247
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9a25596d5e3cfe4fe0e5db7da74b03c59e9ab60d04f24d3b65b32f0a3db3b2c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 033187B15483849FD308DF26D85126ABBA1FBD2344F145D1DE0D6AB324DB74C14ACF8A
                                                                                                                                                                                                                                                  Function 0043E3D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 226 43e3d0-43e3e5 227 43e456-43e457 call 43bab0 226->227 228 43e44b-43e454 call 43ba10 226->228 229 43e3fa-43e40b 226->229 230 43e3ec-43e3f3 226->230 234 43e45c-43e45f 227->234 238 43e464-43e467 228->238 232 43e410-43e434 229->232 230->227 230->229 232->232 235 43e436-43e449 RtlReAllocateHeap 232->235 237 43e461 234->237 235->237 237->238
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043E443
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                  • String ID: ,X_P$1X_P
                                                                                                                                                                                                                                                  • API String ID: 1279760036-2502780324
                                                                                                                                                                                                                                                  • Opcode ID: eb1a6f67c4ada5412c08eb173e14373e3fe507c916b2bafd9d7fb15af6b3fd64
                                                                                                                                                                                                                                                  • Instruction ID: 357ba96cad9f0123cdecf1eeb7454c10257a295415ee4a6f905f218ff180347d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb1a6f67c4ada5412c08eb173e14373e3fe507c916b2bafd9d7fb15af6b3fd64
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B0168B47052409BD3149B36FC9172BBBD6EFDD311F18853DE68047245D2399806D6D2
                                                                                                                                                                                                                                                  Function 0043BAB0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 276 43bab0-43bac1 277 43bb61-43bb68 276->277 278 43bac8-43badb 276->278 279 43bae0-43bb4a 278->279 279->279 280 43bb4c-43bb5b RtlFreeHeap 279->280 280->277
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043BB5B
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                                                                                  • Opcode ID: c966522f7fb25d472709df3c33f9e9313601420be56a465234706629d4e90569
                                                                                                                                                                                                                                                  • Instruction ID: 7fcc2dba597176613733501886a8d543011a47e717bc7f6c2f2548effa9cc5a4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c966522f7fb25d472709df3c33f9e9313601420be56a465234706629d4e90569
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8911AF722593099BC728AE99DCC67A377F2DF80348F14003ED6D24E351E178491EE784
                                                                                                                                                                                                                                                  Function 0040CEC3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 282 40cec3-40cef2 CoInitializeSecurity
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CED5
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeSecurity
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 640775948-0
                                                                                                                                                                                                                                                  • Opcode ID: 86e7cd1d8ba83fd48d159611fa58a999e323023a6822f24e550602bc64e96fbd
                                                                                                                                                                                                                                                  • Instruction ID: 505051cfc9ca38289cd8c3bcaa8b4d1cf811018b2ecdf46f9719d823f91473ff
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 86e7cd1d8ba83fd48d159611fa58a999e323023a6822f24e550602bc64e96fbd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3D0C9383D8741BBF5648B18AC13F543215A702F95F740624B322FE2D2CAE07105860D
                                                                                                                                                                                                                                                  Function 0040CE90 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 281 40ce90-40cec0 CoInitializeEx
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CEA3
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Initialize
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                                                                                                                  • Opcode ID: 95d69b3b1cead687a11d3aac29b76cceb317a11716f3da9f3279e12896be4b7b
                                                                                                                                                                                                                                                  • Instruction ID: 22e434c7d5131673a28d60fedf45504e047772ae2bc3a5d8c25a21f98226e921
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95d69b3b1cead687a11d3aac29b76cceb317a11716f3da9f3279e12896be4b7b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34D0A735590508ABE650672CEC0BF26362CD387725F004235B2A3C71E3EA506914C5AA

                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                  Function 00424800 Relevance: 25.0, APIs: 1, Strings: 13, Instructions: 507COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: 8I>O$;IJK$;M|C$<=$@A$C1D7$C5+K$H=K3$V%C;$]!S'$_-_#$_9_?$YW
                                                                                                                                                                                                                                                  • API String ID: 0-1278073768
                                                                                                                                                                                                                                                  • Opcode ID: 81468d8c49a3e02887b835b59ae40fbcc3ebd7ae00028ff60e4259767b61db7f
                                                                                                                                                                                                                                                  • Instruction ID: 48240a3c797665121a6c8427249b37c171d795af1c4e3dc191a1b5d2d7455386
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81468d8c49a3e02887b835b59ae40fbcc3ebd7ae00028ff60e4259767b61db7f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FBF1DCB160C3508FD300DF25E89166BBBE0EFC6354F45892DE9D58B391E7788909CB8A
                                                                                                                                                                                                                                                  Function 004252A2 Relevance: 16.5, Strings: 13, Instructions: 212COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: %c$()$*g/e$+c(a$6aB$M?w=$US$^aB$j7l5$w3w1$x+{)$SQ$WU
                                                                                                                                                                                                                                                  • API String ID: 0-760778999
                                                                                                                                                                                                                                                  • Opcode ID: 4a98a5ec70e057294fa733518eb136d5d9265efd785ada52663871b1dc11abda
                                                                                                                                                                                                                                                  • Instruction ID: ba1722fd9f9df2ce26a2a668a0da62e27f47c5dd5b7501832dbec2575849f197
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a98a5ec70e057294fa733518eb136d5d9265efd785ada52663871b1dc11abda
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99C11BB850D785CBE2708F11A98179EBBE1FB92344F108A1DE6E86B351DBB04446CF83
                                                                                                                                                                                                                                                  Function 00433CD0 Relevance: 9.1, APIs: 6, Instructions: 138clipboardCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1647500905-0
                                                                                                                                                                                                                                                  • Opcode ID: 483dc0f38cf7e2e744496e9c2be401a32722d8f1196c6b1196953ddb2bb81523
                                                                                                                                                                                                                                                  • Instruction ID: fb864d9a02aa6f82b1cafb98512c37d7d787da1b5168524821baf26f89aa3bc6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 483dc0f38cf7e2e744496e9c2be401a32722d8f1196c6b1196953ddb2bb81523
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC51D3B1808B828BD710AF7C9949259FFA0AB16321F04873AE4E59B382D3389655C797
                                                                                                                                                                                                                                                  Function 004277BD Relevance: 7.8, Strings: 6, Instructions: 345COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: AW$KJML$KJML$\K$_^$m0
                                                                                                                                                                                                                                                  • API String ID: 0-3031886387
                                                                                                                                                                                                                                                  • Opcode ID: 78a00671d45979145a4560d365d97eb3af311ba189861d86e7565eda439995c2
                                                                                                                                                                                                                                                  • Instruction ID: 8226b9801ad2d42dbe1351369da643cc8733ad833090b8abc78d166a71a0a298
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78a00671d45979145a4560d365d97eb3af311ba189861d86e7565eda439995c2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AA1377960C350DBE7148F24EC9172BB7A0FB96348F44183EF586872A1D738E906CB4A
                                                                                                                                                                                                                                                  Function 0040DCB7 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 319COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00433E90: GetSystemMetrics.USER32 ref: 00433ED9
                                                                                                                                                                                                                                                    • Part of subcall function 00433E90: GetSystemMetrics.USER32 ref: 00433EE9
                                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 0040DCCC
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: MetricsSystem$Uninitialize
                                                                                                                                                                                                                                                  • String ID: $#$@KFQ$lev-tolstoi.com$_Q
                                                                                                                                                                                                                                                  • API String ID: 1128523136-783552759
                                                                                                                                                                                                                                                  • Opcode ID: d23d948b592791f3cfd090ade1304dc5fd674626a75ff97414607907e0f1a076
                                                                                                                                                                                                                                                  • Instruction ID: 4defda7e57fa942cb74b608a607347f298506896ac3dbf0eddcd85f7108a5fce
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d23d948b592791f3cfd090ade1304dc5fd674626a75ff97414607907e0f1a076
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EB1BC7550D3C28BD3358F25C4907EBBBE1AFE6304F08996DD0C95B382D778490A8B9A
                                                                                                                                                                                                                                                  Function 004272A0 Relevance: 6.5, Strings: 5, Instructions: 235COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: z$D1NO$I5G3$S#Q$_]
                                                                                                                                                                                                                                                  • API String ID: 0-639438859
                                                                                                                                                                                                                                                  • Opcode ID: 7afec72c48835cafd2746ae7dfd5b11f69980f76d8b70e9f71c580cd3b4767d1
                                                                                                                                                                                                                                                  • Instruction ID: 66bd1e31735b113f7b95d9c68fe98471feebe8bfbb0225636bc89cdb316b93ea
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7afec72c48835cafd2746ae7dfd5b11f69980f76d8b70e9f71c580cd3b4767d1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B571F2B16083408BC7249F14D89276BBBF2EFD2318F188A5DE5958B391E778C905CB4B
                                                                                                                                                                                                                                                  Function 00425150 Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: 'O"A$P?l1$X[$o7cI$w3k5
                                                                                                                                                                                                                                                  • API String ID: 0-455523353
                                                                                                                                                                                                                                                  • Opcode ID: ff135a553d3141049ca5331447d5cb064331698c645f2c44e2c4e51c613b099f
                                                                                                                                                                                                                                                  • Instruction ID: 51eb84a212206e2a87ad4a80187414da09e946e9a809fb256b0f7a2b673c91d2
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff135a553d3141049ca5331447d5cb064331698c645f2c44e2c4e51c613b099f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F31377120C3859BE7348F54EC01FEBB7E4EB85308F14093DF699CA281E77591068B5A
                                                                                                                                                                                                                                                  Function 009DF751 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009DF841
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1974802433-0
                                                                                                                                                                                                                                                  • Opcode ID: fb578a13bffeaa224a3b2a1246edbd304c4a9943cbc28b7dca189b1bb4d3c3a9
                                                                                                                                                                                                                                                  • Instruction ID: 8d814a55b1b6a2a4f5ef46129e972ec65e96c02121d1437e62ae5742ed48f88d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb578a13bffeaa224a3b2a1246edbd304c4a9943cbc28b7dca189b1bb4d3c3a9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82711775D85158AFDF20AF34DCAABE9B7BCAB45300F1481EBE04A97311DA304E819F10
                                                                                                                                                                                                                                                  Function 009D96CF Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 009D96DB
                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 009D97A7
                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009D97C7
                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 009D97D1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 254469556-0
                                                                                                                                                                                                                                                  • Opcode ID: 2da1b5c4f3326eaa9f68f2d44afa8c9bb37887a509bca0ce1d825de834f57609
                                                                                                                                                                                                                                                  • Instruction ID: 22ab1d47ff92fab3f0b9c34e0fa382323c14fe62e5be46876294be9bdd1a334d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2da1b5c4f3326eaa9f68f2d44afa8c9bb37887a509bca0ce1d825de834f57609
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB3127B5D552189BDB10EFA4D9897CCBBB8FF08300F1081AAE54DAB350EB709A85CF05
                                                                                                                                                                                                                                                  Function 0041DBDB Relevance: 4.0, Strings: 3, Instructions: 202COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: .sq$U{>y$tk
                                                                                                                                                                                                                                                  • API String ID: 0-1908265287
                                                                                                                                                                                                                                                  • Opcode ID: fe9d369215ae59bf8f0e652be0029dbe287517b77a01e18ec0a9d3604a881a57
                                                                                                                                                                                                                                                  • Instruction ID: 26be6f975a003ac920f2b9828a51a9f7b0361b3b13e1d049af301d240ecb6a9b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe9d369215ae59bf8f0e652be0029dbe287517b77a01e18ec0a9d3604a881a57
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 355156B29083518BC314CF24D8916BBB7F2EFD2354F29491DE4D68B391E7789881CB96
                                                                                                                                                                                                                                                  Function 004195D1 Relevance: 3.8, Strings: 2, Instructions: 1325COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: QOTL$cfgdQOTL(
                                                                                                                                                                                                                                                  • API String ID: 0-1041102262
                                                                                                                                                                                                                                                  • Opcode ID: b5acb474f2e6318f94453df1d46600d9046b57f515fcecbb5936f7cd36da01a4
                                                                                                                                                                                                                                                  • Instruction ID: baae48468f02253949789be9a9f93deb31354230cf9b03ea4ad6e7f0ba5e09aa
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5acb474f2e6318f94453df1d46600d9046b57f515fcecbb5936f7cd36da01a4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86920FB55007018FD7248F24C8917A2BBF2FF96314F0986ADD4968F7A2E738E845CB95
                                                                                                                                                                                                                                                  Function 004237C0 Relevance: 2.9, Strings: 2, Instructions: 426COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: ,-./$@A
                                                                                                                                                                                                                                                  • API String ID: 0-1711629388
                                                                                                                                                                                                                                                  • Opcode ID: 4e0d7943126a89f94e8b2c32deef5b19d661ae02a1ddcffc5b77e89c7d9c4155
                                                                                                                                                                                                                                                  • Instruction ID: b427f95eee88e6e90d2e7c6e9f09885fe0d71f34555a972a5764628c52f2a79a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e0d7943126a89f94e8b2c32deef5b19d661ae02a1ddcffc5b77e89c7d9c4155
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7B1E372B042209BD7109F24D88276BB7F0EF91355F49892DE8C59B382E37CDA05C79A
                                                                                                                                                                                                                                                  Function 00425A75 Relevance: 2.9, Strings: 2, Instructions: 380COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: "_B$n[B
                                                                                                                                                                                                                                                  • API String ID: 0-3055631520
                                                                                                                                                                                                                                                  • Opcode ID: 04987499a22af4122d59eb180440eaaba37f8dd189f60d02e643de4799b8c78f
                                                                                                                                                                                                                                                  • Instruction ID: 62cab86c4d36762c2083a5c2b7229ea5af287306fc378645cba71aeb96ee3af7
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04987499a22af4122d59eb180440eaaba37f8dd189f60d02e643de4799b8c78f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4C11136218B22CBC324DF28D8905BBB7B2FF99740F96892DD4819B360E7789D05C785
                                                                                                                                                                                                                                                  Function 0043BFC0 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                  • String ID: 5|iL$KJML
                                                                                                                                                                                                                                                  • API String ID: 2994545307-536917200
                                                                                                                                                                                                                                                  • Opcode ID: 636d95659e541816b923c3f4d570c3d48a846f27e8197f310ddef13876200725
                                                                                                                                                                                                                                                  • Instruction ID: 021ef2e24474c152aafce047481dff9cba3e52c706cfde05c341d4b670c8cf24
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 636d95659e541816b923c3f4d570c3d48a846f27e8197f310ddef13876200725
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF61F532A053109BD7109F68D9C076BBBE2ABCA714F1DE46AD888B7352D639DC0197C9
                                                                                                                                                                                                                                                  Function 00441160 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                  • String ID: @$P?l1
                                                                                                                                                                                                                                                  • API String ID: 2994545307-4135037845
                                                                                                                                                                                                                                                  • Opcode ID: 7b2b65917937c3de63858e8aa95c118a2f4085e070f529ae319bfc7e530804d0
                                                                                                                                                                                                                                                  • Instruction ID: 048af27f90df81157f785fbe2478cdb9cc1881c609c9a8ec9846b5c2d3b7d9fc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b2b65917937c3de63858e8aa95c118a2f4085e070f529ae319bfc7e530804d0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23310F712093049BD304DF58C4C162BBBF4FF99344F04882EEA949B3A0D37999488B9A
                                                                                                                                                                                                                                                  Function 00423560 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00443598,00000000,00000001,00443588), ref: 00423589
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CreateInstance
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 542301482-0
                                                                                                                                                                                                                                                  • Opcode ID: 016393feeb3aaf5266cd89428a409469914a8c32bd70aadd08ee5d85eb0fe30b
                                                                                                                                                                                                                                                  • Instruction ID: 1c3a52efecc43846b604c9fc2bd1fb656c54c658cb3f3d421b38619bf31c0a25
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 016393feeb3aaf5266cd89428a409469914a8c32bd70aadd08ee5d85eb0fe30b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC51BEB1700224ABDB209F24DC86B6773B8EF81755F484519F9858B391F37DDA44C72A
                                                                                                                                                                                                                                                  Function 00427E50 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                  • String ID: KJML
                                                                                                                                                                                                                                                  • API String ID: 2994545307-719402181
                                                                                                                                                                                                                                                  • Opcode ID: 26d3d7412716a36292caa7e25be7bc75aa11939664aa4b81ff5062cee38173fc
                                                                                                                                                                                                                                                  • Instruction ID: 4bf9e5fc8db60ad1477a33ee92378b1d27c7b974a179eba886eae4bae89287da
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26d3d7412716a36292caa7e25be7bc75aa11939664aa4b81ff5062cee38173fc
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34C15A71B093218BD714CB24E88177FB792EF95300F59856ED8868B391EA3DDC06C79A
                                                                                                                                                                                                                                                  Function 0040CA6A Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: tw
                                                                                                                                                                                                                                                  • API String ID: 0-3303754386
                                                                                                                                                                                                                                                  • Opcode ID: 24ea2188b8e1636f3f8cd3459eaa518c333ba647ec784111f40071de7f37294e
                                                                                                                                                                                                                                                  • Instruction ID: 53010c2ad1a460e616b227301a7f5352827963e4b1c26d3e7b98a7d2cb011674
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24ea2188b8e1636f3f8cd3459eaa518c333ba647ec784111f40071de7f37294e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5821337660D3408FD714CF24C8E136BFBF2EBD6304F25992CE59253281CAB5D9018B4A
                                                                                                                                                                                                                                                  Function 0041B634 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                  • String ID: XTx
                                                                                                                                                                                                                                                  • API String ID: 2994545307-3664917863
                                                                                                                                                                                                                                                  • Opcode ID: 5cbfee8c9465b57ece4ff6bae65366f1f3cdd930970ab3139cb2974971e583f5
                                                                                                                                                                                                                                                  • Instruction ID: d8fd3d6754167ec8497d5f9b89789aaad9797a0d7febad699e574512ff3efd57
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cbfee8c9465b57ece4ff6bae65366f1f3cdd930970ab3139cb2974971e583f5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5411BE396047018FE321CF2AC880B63BBE3FB9A301F18C56AD59587265DB34E881CA55
                                                                                                                                                                                                                                                  Function 0041A6A3 Relevance: .9, Instructions: 922COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: cb4bc0ee2808d1bc3ff1f03965229a764dcd887592880a7708e31c9fc069e7d5
                                                                                                                                                                                                                                                  • Instruction ID: f11bb0ccfb7fa6bd906f1d8d31d8357785026af4ffb5bb6096dbf78d761bbead
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb4bc0ee2808d1bc3ff1f03965229a764dcd887592880a7708e31c9fc069e7d5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96721174601701CFD724CF29C890663B7F2FF8A310B188A6DD4868BBA5E739E856CB55
                                                                                                                                                                                                                                                  Function 00407BB0 Relevance: .8, Instructions: 783COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
                                                                                                                                                                                                                                                  • Instruction ID: a30865cc17d97331694aacf62b7448b28511f1c5fcfeab318f17b077f90d62e8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0642D2319087118BC724DF18D98026BB3E2FFD4304F29893ED9C5A72C5EB39A955CB86
                                                                                                                                                                                                                                                  Function 00403060 Relevance: .7, Instructions: 658COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9fa0d18fdb5aa447a473b63ffc2b36f29cb12cc39c980f5c71297a03b3492509
                                                                                                                                                                                                                                                  • Instruction ID: 08fd8c0c77a6a82891080e10c6793232bf344122716b21553b6421ffc9cc9e30
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9fa0d18fdb5aa447a473b63ffc2b36f29cb12cc39c980f5c71297a03b3492509
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8652D2315083459FCB14CF18C0906AABFE5BF89305F18897EF8996B381D779EA49CB85
                                                                                                                                                                                                                                                  Function 00418940 Relevance: .4, Instructions: 384COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 3f3b77dcf67a0b470b62be5e49b57d937dd2d0efc915e2e85ed18c434d3aa749
                                                                                                                                                                                                                                                  • Instruction ID: f4061a431cbf5a55eb24c8f2188b8ae18711ccf053ba8be149a1551a71ae942b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f3b77dcf67a0b470b62be5e49b57d937dd2d0efc915e2e85ed18c434d3aa749
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF9124B5904210DBD7109F18DC826BB73B0FF96354F09492DE98587392EB39A944C79A
                                                                                                                                                                                                                                                  Function 004412A0 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                  • Opcode ID: 87f4b841ecc1c432a5eaed726db190d427c134bbcdca1ab902fc90f08b9cf1c1
                                                                                                                                                                                                                                                  • Instruction ID: 20671464f8093c1c1c425e6ee518332859a822b815ddd87db81b861f0ec46407
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 87f4b841ecc1c432a5eaed726db190d427c134bbcdca1ab902fc90f08b9cf1c1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE8167356053115BE710DF28C881B6FB3A2EFD9390F19C53EE88587364EB3898818789
                                                                                                                                                                                                                                                  Function 00418D27 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e32afe13cf32003b02a45e17a87e6737b69e99e9558ed0cfff2c1e00dfb9f29f
                                                                                                                                                                                                                                                  • Instruction ID: 721f5ec9cae49a4bf89e2d6d3241f632eb14a7b80feb038f5f37aece50e8f818
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e32afe13cf32003b02a45e17a87e6737b69e99e9558ed0cfff2c1e00dfb9f29f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC9102B4D10B00AFD364EF39D947797BEF4AB45210F408A2DE8EA87684E73064598BD7
                                                                                                                                                                                                                                                  Function 00409150 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
                                                                                                                                                                                                                                                  • Instruction ID: 8c0f7e5476ace527f0ad24862e842b830586f80b34ab9c99fe485aa86d2504ff
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8731D533F215114BE714CA65CC0429632939BD9328F3E86B9C425DF296C93B9D0386C4
                                                                                                                                                                                                                                                  Function 00401F50 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
                                                                                                                                                                                                                                                  • Instruction ID: 43d6eacac5e66a2eccaefddc93f777b3f9bcb39f8badc6a339dfab7d62f9f687
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F3187716082029BD7149E59C880937B7E1EF84358F18893EF899A73A1D739DC52CB4B
                                                                                                                                                                                                                                                  Function 0041DE73 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b55538dad94000122f010df21ddf5dbb82f2a9efe173eec9a549675bb36c8edc
                                                                                                                                                                                                                                                  • Instruction ID: 1a94fae6aa4c1755432654251974b40da07cabae229cf75ca8a158187f2f73a1
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b55538dad94000122f010df21ddf5dbb82f2a9efe173eec9a549675bb36c8edc
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A212B73A083508FD724CF2AD48029BFBD29BD6304F19856EF4D59B382C534C9068796
                                                                                                                                                                                                                                                  Function 0041DBD4 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 34bba6bb5d8484f013f34a3491fcda76e0bb1152ae3d79a328efdf63677fa893
                                                                                                                                                                                                                                                  • Instruction ID: 260243d3f1f0345c84290ebcd99fddfdae7476931baad2af899af0836fb5fa84
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34bba6bb5d8484f013f34a3491fcda76e0bb1152ae3d79a328efdf63677fa893
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59212773A093508FD324CF2AD48029BFBE29BE6304F19856EF4D58B395C63489068B96
                                                                                                                                                                                                                                                  Function 0043BF10 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                  • Opcode ID: 00ba2b57a91ac047a4705b75b92ef8b22f69b3affa1c05689b710e5b9512dfb5
                                                                                                                                                                                                                                                  • Instruction ID: bf8168a1869feb74f468f2fd825a5a20f2ae5d369cfd7629e8ff9ba76c4e48e0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00ba2b57a91ac047a4705b75b92ef8b22f69b3affa1c05689b710e5b9512dfb5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85114C71B162044BE3109A15DD8072BB763EBDE315F2DB06AD98497319D7388C014BD9
                                                                                                                                                                                                                                                  Function 0041ECF4 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 777d66c022c8a6a6674b28da04df8bfe314bbffb0f66602573b32b5334db9946
                                                                                                                                                                                                                                                  • Instruction ID: 30254e917762e5330fb28f5a41babc129ad49ecc1168e7e400b6ea640b9a73ec
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 777d66c022c8a6a6674b28da04df8bfe314bbffb0f66602573b32b5334db9946
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6A002A9C49450C7EA005F217906075F138931730AF063479948A73153AA36E158954F
                                                                                                                                                                                                                                                  Function 00433E90 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 125COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: MetricsSystem
                                                                                                                                                                                                                                                  • String ID: 7GC$TEC$^GC$^LC$xEC$xIC$FC
                                                                                                                                                                                                                                                  • API String ID: 4116985748-908964047
                                                                                                                                                                                                                                                  • Opcode ID: 6a2e011da6ada6983ea4d7eb0b4d23507b4e6b403bdf28e27d9a846a6a2923f9
                                                                                                                                                                                                                                                  • Instruction ID: 3e08075581ce457eda26527f829893d569b84f6169f063b11f99ae05461175c0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a2e011da6ada6983ea4d7eb0b4d23507b4e6b403bdf28e27d9a846a6a2923f9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A912DB000E3D5CFE370AF51C94878FBBE0AB82308F50891ED19C5A650DBB95149DFAA
                                                                                                                                                                                                                                                  Function 009E25E3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 009E2702
                                                                                                                                                                                                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 009E2810
                                                                                                                                                                                                                                                  • CatchIt.LIBVCRUNTIME ref: 009E2861
                                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 009E2962
                                                                                                                                                                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 009E297D
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                                                  • API String ID: 4119006552-393685449
                                                                                                                                                                                                                                                  • Opcode ID: 396079b4286b9b154e7919a666075ec472f3222046cbadbd017f339d091ff6a5
                                                                                                                                                                                                                                                  • Instruction ID: c252b1e24a4cbc589350549404eba3c455bde0d56cadb0344c0c6335cce8d87e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 396079b4286b9b154e7919a666075ec472f3222046cbadbd017f339d091ff6a5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8B19C7180024AEFCF1ADFA6C980AAEB7BDFF54310F14416AE8156B212D331EE51CB91
                                                                                                                                                                                                                                                  Function 009E3F66 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 127012223-0
                                                                                                                                                                                                                                                  • Opcode ID: 0dd6fdcb6c3c22f42961025e3d88b2f18fb62ea00eb941c302a54a3ad69194c2
                                                                                                                                                                                                                                                  • Instruction ID: f4b2701d94e4f580cd96ccd0d688a9ecd2a8da871d7a784322b732738110581b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0dd6fdcb6c3c22f42961025e3d88b2f18fb62ea00eb941c302a54a3ad69194c2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3715C32D08385ABDF239F66CC41BAE77BEAFA9310F194459EA00AB281DB35DD418750
                                                                                                                                                                                                                                                  Function 009D4910 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009D49B7
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                  • String ID: (^Hx$(^Hx$(^Hx
                                                                                                                                                                                                                                                  • API String ID: 2659868963-1348055467
                                                                                                                                                                                                                                                  • Opcode ID: e9b2a69e86c96362dcdcbfacd2e9d1ab056cc512a8ccff5b3fc0c736b4190e24
                                                                                                                                                                                                                                                  • Instruction ID: b786e0477061027b405355b1c2a9e1c353c8ddaf4986348ce26ed46ae5912809
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9b2a69e86c96362dcdcbfacd2e9d1ab056cc512a8ccff5b3fc0c736b4190e24
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1814D392983004F8A24CB2999D423E72D6A799730F68CF17E495CF7E0EB799C449742
                                                                                                                                                                                                                                                  Function 009D9E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009D9E97
                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 009D9E9F
                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009D9F28
                                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 009D9F53
                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009D9FA8
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                  • Opcode ID: 6f6c5e19bc56db2260c69ace41fcd32f8586ea0af75f054f2ae33a0907890db8
                                                                                                                                                                                                                                                  • Instruction ID: c6df2232228a701096d7a8addaa8cbea8fb9f53649d1ac874d89ff076e0e464c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f6c5e19bc56db2260c69ace41fcd32f8586ea0af75f054f2ae33a0907890db8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F41AF34A44259ABCF10EF6CD880B9EBBA5AF85314F14C156F8149B392D731EE01CB91
                                                                                                                                                                                                                                                  Function 009DC8BA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,009DC9C9,?,009B782F,00000000,00000000), ref: 009DC97B
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                  • Opcode ID: c9cbeed89918db6b695b189d72dcfdada3cc479d4ee8d7ffa6f6ab45eb97ad33
                                                                                                                                                                                                                                                  • Instruction ID: 66a83e24d1409f536e13252f7c4ac6aa1743ce3f026f7058a0544a662e4eddad
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9cbeed89918db6b695b189d72dcfdada3cc479d4ee8d7ffa6f6ab45eb97ad33
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 052157F1E98212A7CB21AB659C90B5B371CAF81BA0F208622F955BB3C0D730FD01D6D1
                                                                                                                                                                                                                                                  Function 009DC15E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,009DC155,009D9C3D,009D9834), ref: 009DC16C
                                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009DC17A
                                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009DC193
                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,009DC155,009D9C3D,009D9834), ref: 009DC1E5
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                                  • Opcode ID: fed9ecd343df67bc0b013f066b287e367746fea9c1a25b39e696dcc8adad03b7
                                                                                                                                                                                                                                                  • Instruction ID: 3b5980a8cb47b57bd4344be61ef45c5ebb64b2f8a828d9ace45fdb57aa5367cb
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fed9ecd343df67bc0b013f066b287e367746fea9c1a25b39e696dcc8adad03b7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F40190B215D3735EEE1517B56CC2E1A2748DB91B79720423BF428853E2EF514C00E554
                                                                                                                                                                                                                                                  Function 009CDD20 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: string too long$eIY$eIY$eIY
                                                                                                                                                                                                                                                  • API String ID: 0-1759105153
                                                                                                                                                                                                                                                  • Opcode ID: 5cd6d8782f123b6b042c93b28d16ec2e6417b9ff46f55ad7149e965fb3da6696
                                                                                                                                                                                                                                                  • Instruction ID: 4c5cf495e574c8eeff745abddb3304c462e87a8a6f62056dc26df3fcfbf617b2
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cd6d8782f123b6b042c93b28d16ec2e6417b9ff46f55ad7149e965fb3da6696
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA216723E0615067AD280628C585B6E39974AF2364F4B446ED40A6F3D7C636CCC49293
                                                                                                                                                                                                                                                  Function 009DA945 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,?,009E63CE,000000FF), ref: 009DA97A
                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009DA98C
                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,009E63CE,000000FF), ref: 009DA9AE
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                  • Opcode ID: 03e63a7a483130a444534f32d3ae5dc517ac12f9553a6a98da6e676d6a347e2f
                                                                                                                                                                                                                                                  • Instruction ID: 5eeab7ed1a8a938fdd05bcec7fe594f55f3973b4ffc5ee50f5e297b8e4b9a0af
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03e63a7a483130a444534f32d3ae5dc517ac12f9553a6a98da6e676d6a347e2f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14012671A54299EFDB028F40CC49FAEBBB8FB44B15F004626F821A63E0DB749C00CB91
                                                                                                                                                                                                                                                  Function 009E0EA8 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 009E0F2D
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 009E0FF6
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E105D
                                                                                                                                                                                                                                                    • Part of subcall function 009DEBBB: HeapAlloc.KERNEL32(00000000,009B76E8,?,?,009B76E8,01E84800), ref: 009DEBED
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E1070
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009E107D
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1096550386-0
                                                                                                                                                                                                                                                  • Opcode ID: 6ec16d1f351406baf340f9dd67be97b848ca357e3c84ee994bc73d0cfbcd60f8
                                                                                                                                                                                                                                                  • Instruction ID: 49fee81d99f27fe3366e819048334e71b93174d3cbc52376c541f8a25722a3ee
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ec16d1f351406baf340f9dd67be97b848ca357e3c84ee994bc73d0cfbcd60f8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE51B372600286AFDF226F62CC81FBB3BADEF84711B194529FD04D6251EB75DD90C660
                                                                                                                                                                                                                                                  Function 009E2A08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,009E290E,?,?,00000000,00000000,00000000,?), ref: 009E2A2D
                                                                                                                                                                                                                                                  • CatchIt.LIBVCRUNTIME ref: 009E2B13
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CatchEncodePointer
                                                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                                                  • API String ID: 1435073870-2084237596
                                                                                                                                                                                                                                                  • Opcode ID: f59ae0f04ca5259ec5faae36d13f87805ac2247026717fb7e1e70d9db9dc169b
                                                                                                                                                                                                                                                  • Instruction ID: 7d96d1b33e07dd65d7b5a8941a00d47eb62552b0d8542e669d708044a81a24a3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f59ae0f04ca5259ec5faae36d13f87805ac2247026717fb7e1e70d9db9dc169b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C416871900249AFCF26DF95CD81AEEBBB9FF48304F18806AF904A7252D375AD50DB91
                                                                                                                                                                                                                                                  Function 009E0C42 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 009E0C4F
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009E0C59
                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 009E0C81
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                  • Opcode ID: f9f3bfb887ca9e8092ee2bf5543fdbd234bf639805c837c01febd44f467c315d
                                                                                                                                                                                                                                                  • Instruction ID: 52325b3c5bc9913cd79ab86c97193e8619a04413014817fb84f064ae18ab717c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9f3bfb887ca9e8092ee2bf5543fdbd234bf639805c837c01febd44f467c315d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51E04870694244FBDB111BA2DD47B1A3F599B80B40F244120FA8CAC1E1E7A2FC5195D9
                                                                                                                                                                                                                                                  Function 009E159F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 009E1602
                                                                                                                                                                                                                                                    • Part of subcall function 009E012E: WideCharToMultiByte.KERNEL32(?,00000000,009C3066,00000000,00000000,00000000,000000FF,?,?,00000000,009C3066,?,009DC091,?,00000000,?), ref: 009E018F
                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 009E1854
                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 009E189A
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009E193D
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2112829910-0
                                                                                                                                                                                                                                                  • Opcode ID: bee3687920d1797ed91c9170aa3dee52fc4c3ce3363da4659d4294f0b7c9fd89
                                                                                                                                                                                                                                                  • Instruction ID: e5005d7a1525dd526dc44ecc044cca91dc318d2661f3ff04dbad6bf136234f6b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bee3687920d1797ed91c9170aa3dee52fc4c3ce3363da4659d4294f0b7c9fd89
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26D17CB5D042889FCB16CFE9D890AEDBBB9FF49310F28452AE455EB352D630AD41CB50
                                                                                                                                                                                                                                                  Function 009E240C Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AdjustPointer
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1740715915-0
                                                                                                                                                                                                                                                  • Opcode ID: 386ab643bd86498f53e5cae39d3e6168fae8621bcacf20178ddf18a7de8f45f0
                                                                                                                                                                                                                                                  • Instruction ID: 9482c82e9f4d60ae32c9a6feff8b756ecf2f9bdab458d55fe95a552a617c1282
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 386ab643bd86498f53e5cae39d3e6168fae8621bcacf20178ddf18a7de8f45f0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB512772644686DFDB2A9F12D951B7AB7ADFF40310F24442DF846972A1EB31EC40D790
                                                                                                                                                                                                                                                  Function 009DF52E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 009E012E: WideCharToMultiByte.KERNEL32(?,00000000,009C3066,00000000,00000000,00000000,000000FF,?,?,00000000,009C3066,?,009DC091,?,00000000,?), ref: 009E018F
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,009DF8D4,?,?,?,00000000), ref: 009DF592
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009DF599
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,009DF8D4,?,?,00000000,?,?,?,00000000,00000000,?,009DF8D4,?,?,?,00000000), ref: 009DF5D3
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009DF5DA
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1913693674-0
                                                                                                                                                                                                                                                  • Opcode ID: a317586bf46e9fdd55d2e2c96d6cee2b9c046a0549e9a20fcb6ace79cffe4414
                                                                                                                                                                                                                                                  • Instruction ID: 9fc9dc228bff8ee323b5a3d5019edfe9db027e44c33787799ad11fc5d0f5654a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a317586bf46e9fdd55d2e2c96d6cee2b9c046a0549e9a20fcb6ace79cffe4414
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3721D475684205AFDB10AF65E89297BB7ACFF80364714C53BF92A9B311E730ED409760
                                                                                                                                                                                                                                                  Function 009DFAD4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 6de56e3b82d097439ad9a528eb05641e23434a2782c54f57bf70e5b112b61d8d
                                                                                                                                                                                                                                                  • Instruction ID: 34075c86bb6394f81f0d1b65a61f6096e0b5b793138b5f7e46244cfac6614692
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6de56e3b82d097439ad9a528eb05641e23434a2782c54f57bf70e5b112b61d8d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7219F71680206BF9B20AFA5DCA3D6A77ACAF84364710C537F91E8B351E734EC4097A0
                                                                                                                                                                                                                                                  Function 009E022A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 009E0232
                                                                                                                                                                                                                                                    • Part of subcall function 009E012E: WideCharToMultiByte.KERNEL32(?,00000000,009C3066,00000000,00000000,00000000,000000FF,?,?,00000000,009C3066,?,009DC091,?,00000000,?), ref: 009E018F
                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009E026A
                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009E028A
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 158306478-0
                                                                                                                                                                                                                                                  • Opcode ID: 5bcbb0f445cda887ee774e346dccfd0fbc036a46e23c47968a32eeb51901b51e
                                                                                                                                                                                                                                                  • Instruction ID: f3f97f9cc7fe610176eaa8417780f37e8a749ba65caec211bb4293d756301f52
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bcbb0f445cda887ee774e346dccfd0fbc036a46e23c47968a32eeb51901b51e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 731166F290A6867EA71227739CCDC7F699CCEC63A87000021F902D6301EAB4DD819170
                                                                                                                                                                                                                                                  Function 009E4420 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000), ref: 009E4437
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000,?,?,?,009E12D7,00000000), ref: 009E4443
                                                                                                                                                                                                                                                    • Part of subcall function 009E44A0: CloseHandle.KERNEL32(FFFFFFFE,009E4453,?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000,?,?), ref: 009E44B0
                                                                                                                                                                                                                                                  • ___initconout.LIBCMT ref: 009E4453
                                                                                                                                                                                                                                                    • Part of subcall function 009E4475: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,009E4411,009E3BEF,?,?,009E1991,?,00000000,00000000,?), ref: 009E4488
                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,009E3C02,00000000,00000001,00000000,?,?,009E1991,?,00000000,00000000,?), ref: 009E4468
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                                                                                                  • Opcode ID: 7ca164bed6218933b54e5948ec24d4f21324904785a5dae8d435fb7a8412ad6b
                                                                                                                                                                                                                                                  • Instruction ID: 03f3d2302df40bcd8bebf8db15955755eb8e74146d4049c308592abf015e92a4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ca164bed6218933b54e5948ec24d4f21324904785a5dae8d435fb7a8412ad6b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1F01C36515294BBCF231FD2EC48A993F6BEF487A1B014010FA6889270E732CC21EB90
                                                                                                                                                                                                                                                  Function 009E227C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 009E2285
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592310367.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592294804.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592337845.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592358971.00000000009ED000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592374568.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.1592390066.00000000009F3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_9b0000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                                                                                  • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                  • Opcode ID: 94024c18b831c8219928743c753b0bd03d0c391a15678ef90d4ad782970b0bc5
                                                                                                                                                                                                                                                  • Instruction ID: 03b7ccf173ae900599566c9ba4062f4e37e510d10444d69be67fd6d1427e22e7
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94024c18b831c8219928743c753b0bd03d0c391a15678ef90d4ad782970b0bc5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7431B372400295EBCF278F52CC4496E7B6EFF09B15B18865AF95849221D33ACC62DF91
                                                                                                                                                                                                                                                  Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.1592231634.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                                  • String ID: Wu
                                                                                                                                                                                                                                                  • API String ID: 3664257935-4083010176
                                                                                                                                                                                                                                                  • Opcode ID: 258e1ba9c224423b1a1c49954e9d779e47fc35ca85bf672c57b92161d3a4c994
                                                                                                                                                                                                                                                  • Instruction ID: 331fdb691759df2a5931b2739dcb7d62f7cb4d50402f2e14919dbf10c38f77d7
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 258e1ba9c224423b1a1c49954e9d779e47fc35ca85bf672c57b92161d3a4c994
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9C002BD901445EFDE416F61FC49A283A62FB923257050130A66590435DB329AB1DE99