Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Neverlose.cc.exe

Overview

General Information

Sample name:Neverlose.cc.exe
Analysis ID:1579579
MD5:fd8e94f50646325de0f502b98a9bcc2d
SHA1:5f26af6c0bc9e573abc0490827468e4165b05b19
SHA256:c3afdbc9b9ba8c77858d6fb4394721ed65a6f68731306ccb64f8c283cde26503
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Neverlose.cc.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\Neverlose.cc.exe" MD5: FD8E94F50646325DE0F502B98A9BCC2D)
    • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Neverlose.cc.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\Neverlose.cc.exe" MD5: FD8E94F50646325DE0F502B98A9BCC2D)
    • WerFault.exe (PID: 7500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["energyaffai.lat", "grannyejh.lat", "rapeflowwj.lat", "aspecteirs.lat", "discokeyus.lat", "sustainskelet.lat", "bellflamre.click", "crosshuaht.lat", "necklacebudi.lat"], "Build id": "LPnhqo--utgsudapuzph"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:09.743915+010020283713Unknown Traffic192.168.2.44973223.55.153.106443TCP
      2024-12-23T02:28:12.213547+010020283713Unknown Traffic192.168.2.449735172.67.157.254443TCP
      2024-12-23T02:28:13.294212+010020283713Unknown Traffic192.168.2.449737172.67.157.254443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:12.969530+010020546531A Network Trojan was detected192.168.2.449735172.67.157.254443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:12.969530+010020498361A Network Trojan was detected192.168.2.449735172.67.157.254443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:07.123442+010020583541Domain Observed Used for C2 Detected192.168.2.4495161.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:05.448102+010020582121Domain Observed Used for C2 Detected192.168.2.4614121.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:07.737148+010020583581Domain Observed Used for C2 Detected192.168.2.4528001.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:05.993499+010020583601Domain Observed Used for C2 Detected192.168.2.4544241.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:06.698980+010020583621Domain Observed Used for C2 Detected192.168.2.4651081.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:05.685870+010020583641Domain Observed Used for C2 Detected192.168.2.4537141.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:06.386989+010020583701Domain Observed Used for C2 Detected192.168.2.4608811.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:07.966775+010020583741Domain Observed Used for C2 Detected192.168.2.4571581.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:07.428946+010020583761Domain Observed Used for C2 Detected192.168.2.4536591.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-23T02:28:10.548905+010028586661Domain Observed Used for C2 Detected192.168.2.44973223.55.153.106443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "grannyejh.lat", "rapeflowwj.lat", "aspecteirs.lat", "discokeyus.lat", "sustainskelet.lat", "bellflamre.click", "crosshuaht.lat", "necklacebudi.lat"], "Build id": "LPnhqo--utgsudapuzph"}
      Multi AV Scanner detection for submitted file
      Source: Neverlose.cc.exeReversingLabs: Detection: 31%
      Source: Neverlose.cc.exeVirustotal: Detection: 35%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
      Machine Learning detection for sample
      Source: Neverlose.cc.exeJoe Sandbox ML: detected
      Sample uses string decryption to hide its real strings
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: crosshuaht.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: sustainskelet.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: aspecteirs.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: energyaffai.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: necklacebudi.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: discokeyus.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: grannyejh.lat
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: bellflamre.click
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
      Source: 00000002.00000002.1794272369.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: LPnhqo--utgsudapuzph
      Source: Neverlose.cc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: Neverlose.cc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A563B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00A563B5
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax-10h]2_2_0043A55A
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], AF697AECh2_2_00439BE8
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E1A2961Bh2_2_00439F2D
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_00429070
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov byte ptr [esi], al2_2_0042A03C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ecx, eax2_2_0042B0DE
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [esi]2_2_0042B0DE
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ecx, eax2_2_00429E89
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [esi]2_2_00429E89
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+edx]2_2_00439140
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h2_2_00422154
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h2_2_004221FE
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx+06h]2_2_00409270
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then push esi2_2_00420273
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then push A0E75166h2_2_0040B215
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov byte ptr [eax], bl2_2_0040E2D5
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi+2B788957h]2_2_0040E2D5
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+38h]2_2_0040C2DA
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov eax, ebx2_2_004282E8
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68C964F4h]2_2_0041B2AA
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov dword ptr [esi], 97969554h2_2_0043A35B
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-5C2FB1A1h]2_2_0040C37A
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh2_2_00424330
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004153FC
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, word ptr [ebx+eax]2_2_00421380
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+06h]2_2_00421380
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh2_2_004253A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov eax, ebx2_2_004253A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ecx, edx2_2_0043C410
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]2_2_00419490
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]2_2_00419490
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]2_2_00419490
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then jmp eax2_2_004245DE
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042760C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6Ah]2_2_00438620
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov byte ptr [ebp+00h], al2_2_0041D6F0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]2_2_004256A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_0042A749
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_0042A749
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ecx, eax2_2_0042B771
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_00432770
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx eax, word ptr [ebp+00h]2_2_00436770
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]2_2_0043B720
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov edx, ecx2_2_0042A80B
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ecx, eax2_2_0042A80B
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov edi, ecx2_2_0040C830
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+000003B2h]2_2_004298A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ebx, eax2_2_00405940
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ebp, eax2_2_00405940
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx edx, byte ptr [ebp+00h]2_2_004029D0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h2_2_004389F0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], A2347758h2_2_004389F0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ebx, edi2_2_0041CA40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then lea edx, dword ptr [eax+00000270h]2_2_00408A50
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00428AF0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-00000085h]2_2_00418BE7
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh2_2_00426B8E
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh2_2_00414C4E
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_0041AC1D
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]2_2_0040CCC5
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov word ptr [esi], cx2_2_00417CE5
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx edx, byte ptr [ecx]2_2_00415CFC
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]2_2_0040DCA0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh2_2_00414D45
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ecx, ebx2_2_00427D4D
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh2_2_00427D4D
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx+48EF6323h]2_2_00439DD7
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then test eax, eax2_2_00435E40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then add ecx, FFFFFFFEh2_2_00435E40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh2_2_00414D40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov ecx, eax2_2_00429ECA
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx ecx, byte ptr [esi]2_2_00429ECA
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]2_2_00402F40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then jmp ecx2_2_00422F44
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh2_2_00421F0E
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh2_2_00421F10
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 4x nop then mov byte ptr [edi], bl2_2_00408FE0

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.4:53714 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.4:65108 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.4:57158 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.4:54424 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058212 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click) : 192.168.2.4:61412 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.4:49516 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.4:53659 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.4:60881 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.4:52800 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49732 -> 23.55.153.106:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 172.67.157.254:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 172.67.157.254:443
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: energyaffai.lat
      Source: Malware configuration extractorURLs: grannyejh.lat
      Source: Malware configuration extractorURLs: rapeflowwj.lat
      Source: Malware configuration extractorURLs: aspecteirs.lat
      Source: Malware configuration extractorURLs: discokeyus.lat
      Source: Malware configuration extractorURLs: sustainskelet.lat
      Source: Malware configuration extractorURLs: bellflamre.click
      Source: Malware configuration extractorURLs: crosshuaht.lat
      Source: Malware configuration extractorURLs: necklacebudi.lat
      Source: Joe Sandbox ViewIP Address: 172.67.157.254 172.67.157.254
      Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.157.254:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 23.55.153.106:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.157.254:443
      Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: LRPC-e9c77b0923665da6f1a/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=263c0299fe00d4bc856cd388; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 23 Dec 2024 01:28:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: a/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
      Source: global trafficDNS traffic detected: DNS query: bellflamre.click
      Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
      Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
      Source: global trafficDNS traffic detected: DNS query: necklacebudi.lat
      Source: global trafficDNS traffic detected: DNS query: energyaffai.lat
      Source: global trafficDNS traffic detected: DNS query: aspecteirs.lat
      Source: global trafficDNS traffic detected: DNS query: sustainskelet.lat
      Source: global trafficDNS traffic detected: DNS query: crosshuaht.lat
      Source: global trafficDNS traffic detected: DNS query: rapeflowwj.lat
      Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
      Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
      Source: Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
      Source: Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
      Source: Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aspecteirs.lat:443/api
      Source: Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bellflamre.click:443/api
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastW
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/publi
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&lJ
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
      Source: Neverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
      Source: Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
      Source: Neverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
      Source: Neverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
      Source: Neverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
      Source: Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://energyaffai.lat:443/api
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.000000000152B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.000000000152B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pidN
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apii.
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rapeflowwj.lat:443/api&
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
      Source: Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
      Source: Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
      Source: Neverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
      Source: Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/w
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
      Source: Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
      Source: Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
      Source: Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
      Source: Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
      Source: Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A310000_2_00A31000
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A487410_2_00A48741
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A4E9300_2_00A4E930
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A5BA420_2_00A5BA42
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A49B400_2_00A49B40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A43CDF0_2_00A43CDF
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A59C730_2_00A59C73
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004086902_2_00408690
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040B9AF2_2_0040B9AF
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004120102_2_00412010
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042A03C2_2_0042A03C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004340EF2_2_004340EF
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004160F12_2_004160F1
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004350902_2_00435090
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041D1702_2_0041D170
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004381102_2_00438110
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004092702_2_00409270
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041C2002_2_0041C200
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004062302_2_00406230
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040E2D52_2_0040E2D5
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004282E82_2_004282E8
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004043002_2_00404300
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042D32A2_2_0042D32A
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004213802_2_00421380
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004253A02_2_004253A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004353A02_2_004353A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042E4402_2_0042E440
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004264002_2_00426400
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0043C4102_2_0043C410
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042B4292_2_0042B429
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004194902_2_00419490
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040D49A2_2_0040D49A
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041D4B02_2_0041D4B0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004066C02_2_004066C0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041D6F02_2_0041D6F0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0043C6A02_2_0043C6A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042A7492_2_0042A749
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041876C2_2_0041876C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004207202_2_00420720
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040D7382_2_0040D738
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041E7F02_2_0041E7F0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041A7902_2_0041A790
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004348702_2_00434870
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040C8302_2_0040C830
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004158D62_2_004158D6
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004059402_2_00405940
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004039502_2_00403950
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0043395D2_2_0043395D
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042A9C42_2_0042A9C4
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_004389F02_2_004389F0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0043C9902_2_0043C990
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040A9B02_2_0040A9B0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041CA402_2_0041CA40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042AA622_2_0042AA62
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00434AD02_2_00434AD0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00418BE72_2_00418BE7
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00402B902_2_00402B90
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040FC0A2_2_0040FC0A
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00404C302_2_00404C30
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00414D452_2_00414D45
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0041CD602_2_0041CD60
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0042FD602_2_0042FD60
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00435E402_2_00435E40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00414D402_2_00414D40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00429ECA2_2_00429ECA
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00402F402_2_00402F40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0040CF2B2_2_0040CF2B
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00408FE02_2_00408FE0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00420FA02_2_00420FA0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A310002_2_00A31000
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A487412_2_00A48741
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A4E9302_2_00A4E930
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A5BA422_2_00A5BA42
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A49B402_2_00A49B40
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A43CDF2_2_00A43CDF
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A59C732_2_00A59C73
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: String function: 00A441E0 appears 94 times
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: String function: 004145B0 appears 76 times
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: String function: 00A514C4 appears 34 times
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: String function: 00A4D05E appears 42 times
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: String function: 00407FE0 appears 76 times
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 304
      Source: Neverlose.cc.exe, 00000000.00000000.1692467441.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc.exe
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc.exe
      Source: Neverlose.cc.exe, 00000002.00000000.1702927761.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc.exe
      Source: Neverlose.cc.exe, 00000002.00000003.1707129524.0000000002F98000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc.exe
      Source: Neverlose.cc.exeBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc.exe
      Source: Neverlose.cc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: Neverlose.cc.exeStatic PE information: Section: .bss ZLIB complexity 1.000329525483304
      Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@11/2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7348
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6e0f0f04-dd9e-48dc-a6f7-569afa5eefd2Jump to behavior
      Source: Neverlose.cc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Neverlose.cc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Neverlose.cc.exeReversingLabs: Detection: 31%
      Source: Neverlose.cc.exeVirustotal: Detection: 35%
      Source: C:\Users\user\Desktop\Neverlose.cc.exeFile read: C:\Users\user\Desktop\Neverlose.cc.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Neverlose.cc.exe "C:\Users\user\Desktop\Neverlose.cc.exe"
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess created: C:\Users\user\Desktop\Neverlose.cc.exe "C:\Users\user\Desktop\Neverlose.cc.exe"
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 304
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess created: C:\Users\user\Desktop\Neverlose.cc.exe "C:\Users\user\Desktop\Neverlose.cc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: Neverlose.cc.exeStatic file information: File size 57172992 > 1048576
      Source: Neverlose.cc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
      Source: Neverlose.cc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: Neverlose.cc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: Neverlose.cc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: Neverlose.cc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: Neverlose.cc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A44303 push ecx; ret 0_2_00A44316
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_0043B250 push eax; mov dword ptr [esp], 86858453h2_2_0043B253
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A44303 push ecx; ret 2_2_00A44316
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-20559
      Source: C:\Users\user\Desktop\Neverlose.cc.exeAPI coverage: 3.5 %
      Source: C:\Users\user\Desktop\Neverlose.cc.exe TID: 7548Thread sleep time: -150000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exe TID: 7548Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A563B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00A563B5
      Source: Amcache.hve.5.drBinary or memory string: VMware
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000150C000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHq
      Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00439AF0 LdrInitializeThunk,2_2_00439AF0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A44073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A44073
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A6C19E mov edi, dword ptr fs:[00000030h]0_2_00A6C19E
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A316A0 mov edi, dword ptr fs:[00000030h]0_2_00A316A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A316A0 mov edi, dword ptr fs:[00000030h]2_2_00A316A0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A51DBC GetProcessHeap,0_2_00A51DBC
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A44067 SetUnhandledExceptionFilter,0_2_00A44067
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A44073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A44073
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A43CB7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A43CB7
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A4CDB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A4CDB0
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A44067 SetUnhandledExceptionFilter,2_2_00A44067
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A44073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A44073
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A43CB7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00A43CB7
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 2_2_00A4CDB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A4CDB0

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Contains functionality to inject code into remote processes
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A6C19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00A6C19E
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\Neverlose.cc.exeMemory written: C:\Users\user\Desktop\Neverlose.cc.exe base: 400000 value starts with: 4D5AJump to behavior
      LummaC encrypted strings found
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
      Source: Neverlose.cc.exe, 00000000.00000002.1977747636.0000000002449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bellflamre.click
      Source: C:\Users\user\Desktop\Neverlose.cc.exeProcess created: C:\Users\user\Desktop\Neverlose.cc.exe "C:\Users\user\Desktop\Neverlose.cc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,0_2_00A511AC
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,0_2_00A516A7
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00A5566E
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,0_2_00A558BF
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00A5595A
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,0_2_00A55BAD
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,0_2_00A55CE1
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,0_2_00A55C0C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00A55DD3
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,0_2_00A55D2C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,0_2_00A55ED9
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,2_2_00A511AC
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,2_2_00A516A7
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00A5566E
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,2_2_00A558BF
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00A5595A
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,2_2_00A55BAD
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: EnumSystemLocalesW,2_2_00A55CE1
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,2_2_00A55C0C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00A55DD3
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,2_2_00A55D2C
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: GetLocaleInfoW,2_2_00A55ED9
      Source: C:\Users\user\Desktop\Neverlose.cc.exeCode function: 0_2_00A447EF GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_00A447EF
      Source: C:\Users\user\Desktop\Neverlose.cc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		211
      Process Injection      		2
      Virtualization/Sandbox Evasion      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		211
      Process Injection      		LSASS Memory41
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
      Deobfuscate/Decode Files or Information      		Security Account Manager2
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
      Obfuscated Files or Information      		NTDS1
      File and Directory Discovery      		Distributed Component Object ModelInput Capture114
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Software Packing      		LSA Secrets13
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Neverlose.cc.exe32%ReversingLabsWin32.Trojan.Generic
      Neverlose.cc.exe36%VirustotalBrowse
      Neverlose.cc.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      sustainskelet.lat0%URL Reputationsafe
      crosshuaht.lat0%URL Reputationsafe
      energyaffai.lat0%URL Reputationsafe
      necklacebudi.lat0%URL Reputationsafe

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      steamcommunity.com
      		23.55.153.106
      		truefalse
        		high
        lev-tolstoi.com
        		172.67.157.254
        		truefalse
          		high
          sustainskelet.lat
          		unknown
          		unknowntrue
          • 0%, URL Reputation
          		unknown
          crosshuaht.lat
          		unknown
          		unknowntrue
          • 0%, URL Reputation
          		unknown
          rapeflowwj.lat
          		unknown
          		unknownfalse
            		high
            grannyejh.lat
            		unknown
            		unknownfalse
              		high
              aspecteirs.lat
              		unknown
              		unknownfalse
                		high
                bellflamre.click
                		unknown
                		unknownfalse
                  		high
                  discokeyus.lat
                  		unknown
                  		unknownfalse
                    		high
                    energyaffai.lat
                    		unknown
                    		unknowntrue
                    • 0%, URL Reputation
                    		unknown
                    necklacebudi.lat
                    		unknown
                    		unknowntrue
                    • 0%, URL Reputation
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    aspecteirs.latfalse
                      		high
                      sustainskelet.latfalse
                        		high
                        rapeflowwj.latfalse
                          		high
                          https://steamcommunity.com/profiles/76561199724331900false
                            		high
                            energyaffai.latfalse
                              		high
                              https://lev-tolstoi.com/apifalse
                                		high
                                grannyejh.latfalse
                                  		high
                                  necklacebudi.latfalse
                                    		high
                                    crosshuaht.latfalse
                                      		high
                                      bellflamre.clickfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://player.vimeo.comNeverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://steamcommunity.com/?subsection=broadcastsNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://lev-tolstoi.com/pidNNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://store.steampowered.com/subscriber_agreement/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.gstatic.cn/recaptcha/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEENeverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.valvesoftware.com/legal.htmNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.youtube.comNeverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://community.fastly.steamstatic.com/publiNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.google.comNeverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Neverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englNeverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://s.ytimg.com;Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://steam.tv/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://lev-tolstoi.com/Neverlose.cc.exe, 00000002.00000002.1794658983.000000000152B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://store.steampowered.com/privacy_agreement/Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://steamcommunity.com:443/profiles/76561199724331900Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/points/shop/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://sketchfab.comNeverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://lv.queniujq.cnNeverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://aspecteirs.lat:443/apiNeverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://steamcommunity.com/profiles/76561199724331900/inventory/Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.youtube.com/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://store.steampowered.com/privacy_agreement/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/recaptcha/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://checkout.steampowered.com/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://steamcommunity.com/wNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://store.steampowered.com/;Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://store.steampowered.com/about/Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://steamcommunity.com/my/wishlist/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://bellflamre.click:443/apiNeverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://energyaffai.lat:443/apiNeverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://help.steampowered.com/en/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://steamcommunity.com/market/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://store.steampowered.com/news/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=eNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://store.steampowered.com/subscriber_agreement/Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgNeverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://recaptcha.net/recaptcha/;Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/applications/community/mainNeverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://steamcommunity.com/discussions/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fastWNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://store.steampowered.com/stats/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://medal.tvNeverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://broadcast.st.dl.eccdnx.comNeverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://store.steampowered.com/steam_refunds/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/css/Neverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=eNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://steamcommunity.com/workshop/Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://login.steampowered.com/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_cNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://store.steampowered.com/legal/Neverlose.cc.exe, 00000002.00000002.1794868710.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000002.1794658983.000000000153A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&aNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=englNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&lJNeverlose.cc.exe, 00000002.00000002.1794806836.0000000001563000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://upx.sf.netAmcache.hve.5.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://store.steampowered.com/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://127.0.0.1:27060Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgNeverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifNeverlose.cc.exe, 00000002.00000003.1794057075.000000000153D000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://rapeflowwj.lat:443/api&Neverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  https://lev-tolstoi.com:443/apiNeverlose.cc.exe, 00000002.00000002.1794658983.0000000001521000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampNeverlose.cc.exe, 00000002.00000003.1790838404.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc.exe, 00000002.00000003.1768659425.00000000015A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://help.steampowered.com/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://api.steampowered.com/Neverlose.cc.exe, 00000002.00000003.1793990888.0000000001563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high

                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            172.67.157.254
                                                                                                                                                                                                                            		lev-tolstoi.comUnited States
                                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                            23.55.153.106
                                                                                                                                                                                                                            		steamcommunity.comUnited States
                                                                                                                                                                                                                            		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                            Analysis ID:1579579
                                                                                                                                                                                                                            Start date and time:2024-12-23 02:27:09 +01:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 5m 31s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:10
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:Neverlose.cc.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.troj.evad.winEXE@5/5@11/2
                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            • Number of executed functions: 28
                                                                                                                                                                                                                            • Number of non-executed functions: 145
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.190.181.0, 172.202.163.200, 13.107.246.63
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            20:28:05API Interceptor8x Sleep call for process: Neverlose.cc.exe modified
                                                                                                                                                                                                                            20:28:30API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            172.67.157.254Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                        alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                          ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            https://t.co/nq9BYOxCg9Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                              23.55.153.106Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                                        8ZVMneG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                            ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                aqbjn3fl.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  lev-tolstoi.comLauncher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  8ZVMneG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  Armanivenntii_crypted_EASY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  aqbjn3fl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  steamcommunity.comLauncher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  8ZVMneG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  qth5kdee.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                                                                  LgendPremium.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                                                                  ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  f86nrrc6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.102.49.254

                                                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  AKAMAI-ASN1EULauncher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                  • 172.237.152.235
                                                                                                                                                                                                                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                  • 23.211.121.53
                                                                                                                                                                                                                                                                  nshkarm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 172.233.106.253
                                                                                                                                                                                                                                                                  nsharm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 172.227.252.37
                                                                                                                                                                                                                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                  • 23.215.103.199
                                                                                                                                                                                                                                                                  nsharm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 23.1.235.104
                                                                                                                                                                                                                                                                  CLOUDFLARENETUSsetup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                  • 104.21.65.145
                                                                                                                                                                                                                                                                  bas.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.71.155
                                                                                                                                                                                                                                                                  Wine.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.50.161
                                                                                                                                                                                                                                                                  tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                                                                                                                                                  • 172.67.74.152
                                                                                                                                                                                                                                                                  Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                                                                                                                                                  • 104.26.12.205
                                                                                                                                                                                                                                                                  setup.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                                                                                                                                                  • 104.26.13.205
                                                                                                                                                                                                                                                                  AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.80.1
                                                                                                                                                                                                                                                                  WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                  • 172.67.164.25

                                                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1bas.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Wine.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  external.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  • 23.55.153.106

                                                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Neverlose.cc.exe_ccbdea5a483621edca3dd2e4641136cd2e5b4_7de3b725_04f59196-19eb-49cf-a5a8-432e003f55af\Report.wer

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                                                                                                                  Entropy (8bit):0.7188066390334041
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:cYFeQ8l5ZsMsh1yDfUQXIDcQvc6QcEVcw3cE/H+HbHg/8BRTf3o8Fa9OyWZAX/dI:BgQ85Z90BU/Aj/qzuiFHZ24IO8ZT
                                                                                                                                                                                                                                                                  MD5:16548DA7818E03C390D689921E284D5D
                                                                                                                                                                                                                                                                  SHA1:0EC11647D83AA9DFBD289B9A08241A4A0282B239
                                                                                                                                                                                                                                                                  SHA-256:717A4AA0E5518F38F3B30B16BD38B2C195C356C87EBBD45EEA741506FADDA269
                                                                                                                                                                                                                                                                  SHA-512:9E1886EAEA9C56F89771150230ED4AD68FC8AABB5790222E5DB7B98206E99C7985E2266E12C638CFD54D6F302EFA44C3C050F0E2A17EB2E10790EBE3DD39FDD9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.3.9.0.8.8.4.6.3.2.3.2.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.3.9.0.8.8.4.9.2.9.2.1.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.f.5.9.1.9.6.-.1.9.e.b.-.4.9.c.f.-.a.5.a.8.-.4.3.2.e.0.0.3.f.5.5.a.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.d.d.f.1.2.9.-.4.8.2.7.-.4.f.e.d.-.a.5.5.8.-.5.0.7.9.4.3.1.d.2.3.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.v.e.r.l.o.s.e...c.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.p.c.P.i.n.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.4.-.0.0.0.1.-.0.0.1.4.-.1.8.d.7.-.5.7.e.8.d.9.5.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.f.e.4.d.d.b.1.2.e.2.2.3.9.6.d.b.2.4.b.9.7.7.f.f.e.c.1.5.d.5.0.0.0.0.0.9.0.4.!.0.0.0.0.6.7.4.3.4.a.2.1.d.e.6.2.f.7.3.3.1.0.c.7.4.f.1.c.b.3.2.0.e.f.c.0.a.3.

                                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB74.tmp.dmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:Mini DuMP crash report, 14 streams, Mon Dec 23 01:28:04 2024, 0x1205a4 type
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):41472
                                                                                                                                                                                                                                                                  Entropy (8bit):1.7272859687076003
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:PD03j0+QVhemlOGfSVXC7YHdNqY/5CCKrmZgl5EG:b9+qxIGKVXC7gdNCCKmZRG
                                                                                                                                                                                                                                                                  MD5:E7E34F3ABA457C14512EA3FF5BDBD4CC
                                                                                                                                                                                                                                                                  SHA1:8C1A5544BFB07BF7C8E640D777A015397C48EE12
                                                                                                                                                                                                                                                                  SHA-256:889DA32EED737337AEF5D8C542B191C83D39207B881C297CE502EB6DE47DECA4
                                                                                                                                                                                                                                                                  SHA-512:6906DEA14EDF6DF9761373BF76065B0095908546DF4D4523F485A84071B10CAB701C99FA74C12B3B58761E7B41FA7D5C666A022FAEFE3F31A6184DCCD6BBEB32
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Preview:MDMP..a..... .........hg........................0...........d...j!..........T.......8...........T...........h...........................................................................................................eJ..............GenuineIntel............T.............hg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD3.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8346
                                                                                                                                                                                                                                                                  Entropy (8bit):3.6929902844589324
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:R6l7wVeJgy6IqHj36Y9aSU9reqgmfcuJv4pr/89bjusfrBm:R6lXJF6IqHj36YwSU9r7gmfcuJvNjtfA
                                                                                                                                                                                                                                                                  MD5:E123E3A448AEBB656BFCA95D7ED26939
                                                                                                                                                                                                                                                                  SHA1:C8E4C2C682CA69534D57912F77DBAC35968C45F9
                                                                                                                                                                                                                                                                  SHA-256:294018A3E3E65D6C202F118ED76DD7D1C59CE45AEE0DD47F5B6E977A1CCCB8C1
                                                                                                                                                                                                                                                                  SHA-512:2E04420EC3A78982964762FA782D03EFA27BB520E51FF7A4E4DB69C1ECCDB3727E7C5F44192C7EA69720B7069607942D954D30A7843885685F95E67E62C5D99E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.8.<./.P.i.

                                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF3.tmp.xml

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4671
                                                                                                                                                                                                                                                                  Entropy (8bit):4.45952081663456
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:cvIwWl8zsnQNJg77aI9SdWpW8VYkYm8M4JXEmuFu+q8rErR75ZKQ8Ab0gd:uIjfnQnI70s7VYJzL5ZKQ8AYgd
                                                                                                                                                                                                                                                                  MD5:EB744184F6DDF514DF622014665AC3D8
                                                                                                                                                                                                                                                                  SHA1:9CFB58CCA00932329E8B267EC8C51E8E2CB1BEC8
                                                                                                                                                                                                                                                                  SHA-256:FA3F1C778B80C3CFE33238F929E824BA9C15A3E6DD746AD68DC1D0E710B79C0A
                                                                                                                                                                                                                                                                  SHA-512:650AAB9181EEDA441DABD2B0AFAB6FF06603DD7EFF070F4C732CAD6589515116B00170AC14EE0C67B544CAE5FA23484F3DCDDCC3F987ABA0DBC818E099954E29
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643230" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1835008
                                                                                                                                                                                                                                                                  Entropy (8bit):4.466083514886722
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:RIXfpi67eLPU9skLmb0b4VWSPKaJG8nAgejZMMhA2gX4WABl0uNWdwBCswSb/:yXD94VWlLZMM6YFHw+/
                                                                                                                                                                                                                                                                  MD5:2F53DF8D10AF3B04BCA5E652EAE7148E
                                                                                                                                                                                                                                                                  SHA1:12C5DF1B8094BA9A3A926C5DC48F103585C3FB7B
                                                                                                                                                                                                                                                                  SHA-256:98A54A949C216F1CF44BA36C2F32CE4B68B9651F671960F48CA939B5B7DE81D1
                                                                                                                                                                                                                                                                  SHA-512:D85C71FCB085C8DDCA49D2568718344B8968E83F74446951A0EB361B767122AD8510DC813F0DBFDDB9C2800B036041B93749A5DD1E6381CCB635580DCE366BB9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmVt...T..............................................................................................................................................................................................................................................................................................................................................)...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Entropy (8bit):0.15025844074480657
                                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                  File name:Neverlose.cc.exe
                                                                                                                                                                                                                                                                  File size:57'172'992 bytes
                                                                                                                                                                                                                                                                  MD5:fd8e94f50646325de0f502b98a9bcc2d
                                                                                                                                                                                                                                                                  SHA1:5f26af6c0bc9e573abc0490827468e4165b05b19
                                                                                                                                                                                                                                                                  SHA256:c3afdbc9b9ba8c77858d6fb4394721ed65a6f68731306ccb64f8c283cde26503
                                                                                                                                                                                                                                                                  SHA512:bb4479107d3fbe0e6afcb981c63e4ec62ee445a829b1b0906a964dba7b703ac2a4d6935009d4b3738b26940c3ee4de70aba987a4548728f5eec1385bf1b2ea9b
                                                                                                                                                                                                                                                                  SSDEEP:12288:23sPnKB1HitY7GwKKNLio3vp1wz+psXxilQmqNXey/i:28PnKrittwK+LB3vpSKislQmqNXE
                                                                                                                                                                                                                                                                  TLSH:08C7C00171518072DDA725B758BADB5E4A3EEB200B627ACFA3480CB9DF355C1A631F27
                                                                                                                                                                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg.........."..................K............@.......................................@.................................\...P..

                                                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Entrypoint:0x414bbb
                                                                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                  Time Stamp:0x6766D9DE [Sat Dec 21 15:08:14 2024 UTC]
                                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                                                  Import Hash:0e4c328663ae5868d07c0edb57d0348d

                                                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                                  call 00007FEF0080B9BAh
                                                                                                                                                                                                                                                                  jmp 00007FEF0080B829h
                                                                                                                                                                                                                                                                  mov ecx, dword ptr [0043D6C0h]
                                                                                                                                                                                                                                                                  push esi
                                                                                                                                                                                                                                                                  push edi
                                                                                                                                                                                                                                                                  mov edi, BB40E64Eh
                                                                                                                                                                                                                                                                  mov esi, FFFF0000h
                                                                                                                                                                                                                                                                  cmp ecx, edi
                                                                                                                                                                                                                                                                  je 00007FEF0080B9B6h
                                                                                                                                                                                                                                                                  test esi, ecx
                                                                                                                                                                                                                                                                  jne 00007FEF0080B9D8h
                                                                                                                                                                                                                                                                  call 00007FEF0080B9E1h
                                                                                                                                                                                                                                                                  mov ecx, eax
                                                                                                                                                                                                                                                                  cmp ecx, edi
                                                                                                                                                                                                                                                                  jne 00007FEF0080B9B9h
                                                                                                                                                                                                                                                                  mov ecx, BB40E64Fh
                                                                                                                                                                                                                                                                  jmp 00007FEF0080B9C0h
                                                                                                                                                                                                                                                                  test esi, ecx
                                                                                                                                                                                                                                                                  jne 00007FEF0080B9BCh
                                                                                                                                                                                                                                                                  or eax, 00004711h
                                                                                                                                                                                                                                                                  shl eax, 10h
                                                                                                                                                                                                                                                                  or ecx, eax
                                                                                                                                                                                                                                                                  mov dword ptr [0043D6C0h], ecx
                                                                                                                                                                                                                                                                  not ecx
                                                                                                                                                                                                                                                                  pop edi
                                                                                                                                                                                                                                                                  mov dword ptr [0043D700h], ecx
                                                                                                                                                                                                                                                                  pop esi
                                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                                                  sub esp, 14h
                                                                                                                                                                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                                  xorps xmm0, xmm0
                                                                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                                                                  movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                                                                                                                                                                                  call dword ptr [0043A5D8h]
                                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                                                                  xor eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                                  mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                  call dword ptr [0043A590h]
                                                                                                                                                                                                                                                                  xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                  call dword ptr [0043A58Ch]
                                                                                                                                                                                                                                                                  xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                                  lea eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                                                                  call dword ptr [0043A628h]
                                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                                                  lea ecx, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                                  xor eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                  xor eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                                  xor eax, ecx
                                                                                                                                                                                                                                                                  leave
                                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                                  mov eax, 00004000h
                                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                                  push 0043EC38h
                                                                                                                                                                                                                                                                  call dword ptr [0043A600h]
                                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                                  push 00030000h
                                                                                                                                                                                                                                                                  push 00010000h
                                                                                                                                                                                                                                                                  push 00000000h
                                                                                                                                                                                                                                                                  call 00007FEF00812FE8h
                                                                                                                                                                                                                                                                  add esp, 0Ch

                                                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3a35c0x50.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x3e8.rsrc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x410000x2114.reloc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x367e80x18.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x32b780xc0.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x3a5240x178.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                  .text0x10000x2f54f0x2f60058bc155b094b6873a22cc988795a8d23False0.5124196075197889data6.453078444758717IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .rdata0x310000xa9ec0xaa00ee0908da15a0e5d81cca81415109d13bFalse0.4196920955882353data4.875338264838317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .data0x3c0000x34000x240081d422e119a7deac089cc0743b9210daFalse0.3245442708333333data5.214421128212959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .tls0x400000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .reloc0x410000x21140x2200fb9df7b78b2799ee418116907747d382False0.7449448529411765data6.477521124661293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .bss0x440000x472000x47200e130f201e46a3d1d06d923deadc4301dFalse1.000329525483304data7.999367293745348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .rsrc0x8c0000x3e80x40093d6519c97ffd7db4a07ab1d2e3304e8False0.43359375data3.2859175893892143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                  RT_VERSION0x8c0580x390dataEnglishUnited States0.4517543859649123

                                                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                                                  KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                                                                  USER32.dllDefWindowProcW
                                                                                                                                                                                                                                                                  ADVAPI32.dllEqualPrefixSid

                                                                                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                  2024-12-23T02:28:05.448102+01002058212ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)1192.168.2.4614121.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:05.685870+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.4537141.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:05.993499+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.4544241.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:06.386989+01002058370ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)1192.168.2.4608811.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:06.698980+01002058362ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)1192.168.2.4651081.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:07.123442+01002058354ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)1192.168.2.4495161.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:07.428946+01002058376ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)1192.168.2.4536591.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:07.737148+01002058358ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)1192.168.2.4528001.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:07.966775+01002058374ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)1192.168.2.4571581.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:09.743915+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973223.55.153.106443TCP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:10.548905+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.44973223.55.153.106443TCP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:12.213547+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735172.67.157.254443TCP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:12.969530+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449735172.67.157.254443TCP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:12.969530+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449735172.67.157.254443TCP
                                                                                                                                                                                                                                                                  2024-12-23T02:28:13.294212+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.157.254443TCP

                                                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.332439899 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.332487106 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.332571983 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.336636066 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.336648941 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.743805885 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.743915081 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.747061968 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.747072935 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.747358084 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.792521000 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.808012962 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:09.855336905 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.548974991 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549046040 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549079895 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549092054 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549107075 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549112082 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549139977 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549155951 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549158096 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549187899 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.549207926 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.728373051 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.728446960 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.728465080 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.728485107 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.728533983 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760396004 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760483027 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760488033 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760531902 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760571957 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760577917 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760660887 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.760706902 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.762825012 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.762842894 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.762876987 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.762881994 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.991657972 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.991770029 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.991926908 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.992273092 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.992305040 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.213406086 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.213546991 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.215359926 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.215373993 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.215706110 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.217040062 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.217061996 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.217133045 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.969532967 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.969657898 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.969741106 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.979861021 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.979903936 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.979932070 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:12.979942083 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:13.144419909 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:13.144479036 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:13.144556999 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:13.145179033 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:13.145204067 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:13.294212103 CET49737443192.168.2.4172.67.157.254

                                                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.448101997 CET6141253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.673744917 CET53614121.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.685869932 CET5371453192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.990890980 CET53537141.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.993499041 CET5442453192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.382041931 CET53544241.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.386989117 CET6088153192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.693669081 CET53608811.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.698980093 CET6510853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.099283934 CET53651081.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.123441935 CET4951653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.427222967 CET53495161.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.428946018 CET5365953192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.652199984 CET53536591.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.737148046 CET5280053192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.962975979 CET53528001.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.966774940 CET5715853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.187021017 CET53571581.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.190161943 CET6124853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.327555895 CET53612481.1.1.1192.168.2.4
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.771714926 CET6343353192.168.2.41.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.990654945 CET53634331.1.1.1192.168.2.4

                                                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.448101997 CET192.168.2.41.1.1.10xfebfStandard query (0)bellflamre.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.685869932 CET192.168.2.41.1.1.10x2713Standard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.993499041 CET192.168.2.41.1.1.10xef57Standard query (0)discokeyus.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.386989117 CET192.168.2.41.1.1.10x17ddStandard query (0)necklacebudi.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.698980093 CET192.168.2.41.1.1.10xc41fStandard query (0)energyaffai.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.123441935 CET192.168.2.41.1.1.10x64d2Standard query (0)aspecteirs.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.428946018 CET192.168.2.41.1.1.10x2417Standard query (0)sustainskelet.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.737148046 CET192.168.2.41.1.1.10x55ffStandard query (0)crosshuaht.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.966774940 CET192.168.2.41.1.1.10x67ecStandard query (0)rapeflowwj.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.190161943 CET192.168.2.41.1.1.10x1525Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.771714926 CET192.168.2.41.1.1.10xd3c7Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.673744917 CET1.1.1.1192.168.2.40xfebfName error (3)bellflamre.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:05.990890980 CET1.1.1.1192.168.2.40x2713Name error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.382041931 CET1.1.1.1192.168.2.40xef57Name error (3)discokeyus.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:06.693669081 CET1.1.1.1192.168.2.40x17ddName error (3)necklacebudi.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.099283934 CET1.1.1.1192.168.2.40xc41fName error (3)energyaffai.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.427222967 CET1.1.1.1192.168.2.40x64d2Name error (3)aspecteirs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.652199984 CET1.1.1.1192.168.2.40x2417Name error (3)sustainskelet.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:07.962975979 CET1.1.1.1192.168.2.40x55ffName error (3)crosshuaht.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.187021017 CET1.1.1.1192.168.2.40x67ecName error (3)rapeflowwj.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:08.327555895 CET1.1.1.1192.168.2.40x1525No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.990654945 CET1.1.1.1192.168.2.40xd3c7No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 02:28:10.990654945 CET1.1.1.1192.168.2.40xd3c7No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                  • steamcommunity.com
                                                                                                                                                                                                                                                                  • lev-tolstoi.com

                                                                                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  0192.168.2.44973223.55.153.1064437408C:\Users\user\Desktop\Neverlose.cc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 01:28:09 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                                                                                                                                  2024-12-23 01:28:10 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 01:28:10 GMT
                                                                                                                                                                                                                                                                  Content-Length: 35121
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: sessionid=263c0299fe00d4bc856cd388; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                                  2024-12-23 01:28:10 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                                  2024-12-23 01:28:10 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                                  Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                                  2024-12-23 01:28:10 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                                  Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  1192.168.2.449735172.67.157.2544437408C:\Users\user\Desktop\Neverlose.cc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 01:28:12 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 8
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 01:28:12 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                                                                                                                                  2024-12-23 01:28:12 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 01:28:12 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=bh5o4j3877d9uh6rl43s1d8vuv; expires=Thu, 17 Apr 2025 19:14:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j7tkDNqx1uwF0lYUnCscWzerlG5cnAbgyrcIGYel7PjAGrP81mjeQDBZdW%2FiCL5STQqW7Wh4%2FI3Sp6t9NyEfcG8fbfEdkPh6BIwEIj7EGutmkxGL7eS%2F4XPrw8WdMnXgfnA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f6492d60bd442d7-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1763&min_rtt=1754&rtt_var=676&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1595628&cwnd=245&unsent_bytes=0&cid=656f338c0e75a303&ts=770&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 01:28:12 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 2ok
                                                                                                                                                                                                                                                                  2024-12-23 01:28:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                                                  Start time:20:28:02
                                                                                                                                                                                                                                                                  Start date:22/12/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Neverlose.cc.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Neverlose.cc.exe"
                                                                                                                                                                                                                                                                  Imagebase:0xa30000
                                                                                                                                                                                                                                                                  File size:57'172'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:FD8E94F50646325DE0F502B98A9BCC2D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                                                                                  Start time:20:28:02
                                                                                                                                                                                                                                                                  Start date:22/12/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                                                                                  Start time:20:28:03
                                                                                                                                                                                                                                                                  Start date:22/12/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Neverlose.cc.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Neverlose.cc.exe"
                                                                                                                                                                                                                                                                  Imagebase:0xa30000
                                                                                                                                                                                                                                                                  File size:57'172'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:FD8E94F50646325DE0F502B98A9BCC2D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                                                                                  Start time:20:28:03
                                                                                                                                                                                                                                                                  Start date:22/12/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 304
                                                                                                                                                                                                                                                                  Imagebase:0xe70000
                                                                                                                                                                                                                                                                  File size:483'680 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:8.9%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:2.3%
                                                                                                                                                                                                                                                                    Signature Coverage:4.3%
                                                                                                                                                                                                                                                                    Total number of Nodes:346
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:3
                                                                                                                                                                                                                                                                    execution_graph 20853 a50fa7 FreeLibrary 20854 a333a0 14 API calls 20856 a481a3 66 API calls 20857 a563a8 49 API calls 3 library calls 20862 a3adb0 29 API calls std::_Throw_Cpp_error 20777 a410b0 32 API calls std::_Throw_Cpp_error 20864 a42db0 69 API calls _Yarn 20865 a453b1 8 API calls 20866 a51dbc GetProcessHeap 20868 a447bb GetModuleHandleW GetProcAddress GetProcAddress 20869 a44bbb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 20870 a56185 29 API calls 3 library calls 20871 a37180 31 API calls std::_Throw_Cpp_error 20782 a4788f 7 API calls ___scrt_uninitialize_crt 20393 a41a88 20416 a419f9 GetModuleHandleExW 20393->20416 20396 a41ace 20398 a419f9 Concurrency::details::_Reschedule_chore GetModuleHandleExW 20396->20398 20400 a41ad4 20398->20400 20402 a41af5 20400->20402 20438 a419dc GetModuleHandleExW 20400->20438 20418 a3e250 20402->20418 20404 a41ae5 20404->20402 20405 a41aeb FreeLibraryWhenCallbackReturns 20404->20405 20405->20402 20407 a419f9 Concurrency::details::_Reschedule_chore GetModuleHandleExW 20408 a41b0b 20407->20408 20409 a41b39 20408->20409 20410 a3b1f0 47 API calls 20408->20410 20411 a41b17 20410->20411 20412 a4386f ReleaseSRWLockExclusive 20411->20412 20413 a41b2a 20412->20413 20413->20409 20439 a434df WakeAllConditionVariable 20413->20439 20417 a41a0f 20416->20417 20417->20396 20427 a3b1f0 20417->20427 20440 a34560 20418->20440 20420 a3e271 std::_Throw_Cpp_error 20444 a3f1c0 20420->20444 20423 a3e29f 20452 a411f9 20423->20452 20425 a3e2a9 20425->20407 20428 a3b204 std::_Throw_Cpp_error 20427->20428 20539 a4385e 20428->20539 20432 a3b221 20433 a3b23d 20432->20433 20543 a41c19 40 API calls std::_Throw_Cpp_error 20432->20543 20435 a4386f 20433->20435 20436 a4387c ReleaseSRWLockExclusive 20435->20436 20437 a4388a 20435->20437 20436->20437 20437->20396 20438->20404 20439->20409 20441 a34590 20440->20441 20442 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20441->20442 20443 a3459d 20442->20443 20443->20420 20445 a34560 5 API calls 20444->20445 20446 a3f1e1 std::_Throw_Cpp_error 20445->20446 20459 a40010 20446->20459 20447 a3f1f3 20448 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20447->20448 20449 a3e297 20448->20449 20451 a3e2e0 CloseThreadpoolWork std::_Throw_Cpp_error 20449->20451 20451->20423 20453 a41201 20452->20453 20454 a41202 IsProcessorFeaturePresent 20452->20454 20453->20425 20456 a43bd1 20454->20456 20538 a43cb7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20456->20538 20458 a43cb4 20458->20425 20460 a40027 20459->20460 20465 a40160 20460->20465 20462 a4002e std::_Throw_Cpp_error 20464 a40036 20462->20464 20472 a40220 20462->20472 20464->20447 20477 a3d560 20465->20477 20467 a40187 20480 a3d690 20467->20480 20470 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20471 a401e1 20470->20471 20471->20462 20487 a40260 20472->20487 20475 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20476 a40250 20475->20476 20476->20464 20478 a3b1f0 47 API calls 20477->20478 20479 a3d57e 20478->20479 20479->20467 20483 a3b2a0 20480->20483 20484 a3b2b1 std::_Throw_Cpp_error 20483->20484 20485 a4386f ReleaseSRWLockExclusive 20484->20485 20486 a3b2b9 20485->20486 20486->20470 20488 a40281 20487->20488 20497 a40430 20488->20497 20490 a402c1 20500 a403c0 20490->20500 20494 a402e7 20495 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20494->20495 20496 a40243 20495->20496 20496->20475 20507 a40570 20497->20507 20499 a40450 20499->20490 20501 a403e4 20500->20501 20522 a40500 20501->20522 20503 a403ff 20504 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20503->20504 20505 a402d1 20504->20505 20506 a40300 134 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 20505->20506 20506->20494 20508 a405a1 20507->20508 20513 a405e0 20508->20513 20510 a405b4 20511 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20510->20511 20512 a405cb 20511->20512 20512->20499 20514 a405f7 20513->20514 20517 a40620 20514->20517 20516 a40605 20516->20510 20518 a4063d 20517->20518 20520 a40645 Concurrency::details::_ContextCallback::_CallInContext 20518->20520 20521 a40670 31 API calls 2 library calls 20518->20521 20520->20516 20521->20520 20523 a40514 Concurrency::details::_ContextCallback::_CallInContext 20522->20523 20525 a4051c Concurrency::details::_ContextCallback::_CallInContext 20523->20525 20531 a41da0 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error 20523->20531 20528 a40790 20525->20528 20532 a40830 20528->20532 20535 a40850 20532->20535 20536 a3b9e0 Concurrency::details::_ContextCallback::_CallInContext 125 API calls 20535->20536 20537 a40539 20536->20537 20537->20503 20538->20458 20544 a4388e GetCurrentThreadId 20539->20544 20542 a41c19 40 API calls std::_Throw_Cpp_error 20545 a438d7 20544->20545 20546 a438b8 20544->20546 20548 a438f7 20545->20548 20549 a438e0 20545->20549 20547 a438bd AcquireSRWLockExclusive 20546->20547 20555 a438cd 20546->20555 20547->20555 20551 a43956 20548->20551 20557 a4390f 20548->20557 20550 a438eb AcquireSRWLockExclusive 20549->20550 20549->20555 20550->20555 20552 a4395d TryAcquireSRWLockExclusive 20551->20552 20551->20555 20552->20555 20553 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20554 a3b20c 20553->20554 20554->20432 20554->20542 20555->20553 20557->20555 20558 a43946 TryAcquireSRWLockExclusive 20557->20558 20559 a4454d GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 20557->20559 20558->20555 20558->20557 20559->20557 20873 a44188 49 API calls _unexpected 20874 a47389 47 API calls 4 library calls 20875 a41589 DeleteCriticalSection 20878 a3a590 48 API calls 20385 a6c19e 20390 a6c1d4 20385->20390 20386 a6c321 GetPEB 20387 a6c333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 20386->20387 20388 a6c3da WriteProcessMemory 20387->20388 20387->20390 20389 a6c41f 20388->20389 20391 a6c424 WriteProcessMemory 20389->20391 20392 a6c461 WriteProcessMemory Wow64SetThreadContext ResumeThread 20389->20392 20390->20386 20390->20387 20391->20389 20785 a4109a 33 API calls std::_Throw_Cpp_error 20879 a5f1e5 IsProcessorFeaturePresent 20786 a31ae0 6 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 20881 a3a5e0 61 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 20882 a369e0 5 API calls 2 library calls 20885 a555ed 11 API calls 3 library calls 20789 a5b6f5 49 API calls 20889 a3a7c0 125 API calls 20796 a506cd 16 API calls __dosmaperr 20891 a51dce 34 API calls 2 library calls 20799 a42cc8 45 API calls 2 library calls 20800 a47ad4 73 API calls 2 library calls 20894 a4cfd5 7 API calls 20895 a53bd7 43 API calls 2 library calls 20808 a44a27 30 API calls 20809 a45223 54 API calls 2 library calls 20902 a47b2c GetCommandLineA GetCommandLineW 20903 a55d2c 41 API calls 3 library calls 20904 a42b29 47 API calls 2 library calls 20811 a4182a 16 API calls 2 library calls 20813 a51e37 15 API calls 20816 a4323e 72 API calls messages 20560 a44a39 20561 a44a45 ___scrt_is_nonwritable_in_current_image 20560->20561 20586 a413e2 20561->20586 20563 a44a4c 20564 a44ba5 20563->20564 20573 a44a76 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 20563->20573 20613 a44073 4 API calls 2 library calls 20564->20613 20566 a44bac 20614 a4a4bd 21 API calls std::locale::_Setgloballocale 20566->20614 20568 a44bb2 20615 a4a4d3 21 API calls std::locale::_Setgloballocale 20568->20615 20570 a44bba 20571 a44a95 20572 a44b16 20597 a4ca3c 20572->20597 20573->20571 20573->20572 20609 a4a507 39 API calls 4 library calls 20573->20609 20576 a44b1c 20601 a31c00 20576->20601 20580 a44b3d 20580->20566 20581 a44b41 20580->20581 20582 a44b4a 20581->20582 20611 a4a4e9 21 API calls std::locale::_Setgloballocale 20581->20611 20612 a4141b 75 API calls ___scrt_uninitialize_crt 20582->20612 20585 a44b53 20585->20571 20587 a413eb 20586->20587 20616 a43cdf IsProcessorFeaturePresent 20587->20616 20589 a413f7 20617 a453c5 10 API calls 2 library calls 20589->20617 20591 a413fc 20592 a41400 20591->20592 20618 a478ff 20591->20618 20592->20563 20595 a41417 20595->20563 20598 a4ca45 20597->20598 20599 a4ca4a 20597->20599 20631 a4cb65 20598->20631 20599->20576 20695 a32620 20601->20695 20606 a31c63 20607 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20606->20607 20608 a31c73 20607->20608 20610 a44020 GetModuleHandleW 20608->20610 20609->20572 20610->20580 20611->20582 20612->20585 20613->20566 20614->20568 20615->20570 20616->20589 20617->20591 20622 a527a5 20618->20622 20621 a453e4 7 API calls 2 library calls 20621->20592 20623 a527b5 20622->20623 20624 a41409 20622->20624 20623->20624 20626 a51f19 20623->20626 20624->20595 20624->20621 20627 a51f20 20626->20627 20628 a51f63 GetStdHandle 20627->20628 20629 a51fc5 20627->20629 20630 a51f76 GetFileType 20627->20630 20628->20627 20629->20623 20630->20627 20632 a4cb84 20631->20632 20633 a4cb6e 20631->20633 20632->20599 20633->20632 20637 a4caa6 20633->20637 20635 a4cb7b 20635->20632 20654 a4cc73 46 API calls 3 library calls 20635->20654 20638 a4cab2 20637->20638 20639 a4caaf 20637->20639 20655 a51fdc 20638->20655 20639->20635 20644 a4cac3 20682 a50487 20644->20682 20645 a4cacf 20688 a4cb91 29 API calls 4 library calls 20645->20688 20649 a4cad6 20650 a50487 ___free_lconv_mon 14 API calls 20649->20650 20651 a4caf3 20650->20651 20652 a50487 ___free_lconv_mon 14 API calls 20651->20652 20653 a4caf9 20652->20653 20653->20635 20654->20632 20656 a51fe5 20655->20656 20657 a4cab8 20655->20657 20689 a507ce 39 API calls 3 library calls 20656->20689 20661 a57588 GetEnvironmentStringsW 20657->20661 20659 a52008 20690 a5239d 49 API calls 3 library calls 20659->20690 20662 a575a0 20661->20662 20667 a4cabd 20661->20667 20691 a505d1 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 20662->20691 20664 a575bd 20665 a575c7 FreeEnvironmentStringsW 20664->20665 20666 a575d2 20664->20666 20665->20667 20692 a504c1 15 API calls 2 library calls 20666->20692 20667->20644 20667->20645 20669 a575d9 20670 a575e1 20669->20670 20671 a575f2 20669->20671 20672 a50487 ___free_lconv_mon 14 API calls 20670->20672 20693 a505d1 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 20671->20693 20674 a575e6 FreeEnvironmentStringsW 20672->20674 20674->20667 20675 a57602 20676 a57611 20675->20676 20677 a57609 20675->20677 20678 a50487 ___free_lconv_mon 14 API calls 20676->20678 20679 a50487 ___free_lconv_mon 14 API calls 20677->20679 20680 a5760f FreeEnvironmentStringsW 20678->20680 20679->20680 20680->20667 20683 a50492 RtlFreeHeap 20682->20683 20684 a4cac9 20682->20684 20683->20684 20685 a504a7 GetLastError 20683->20685 20684->20635 20686 a504b4 __dosmaperr 20685->20686 20694 a4c664 14 API calls __dosmaperr 20686->20694 20688->20649 20689->20659 20690->20657 20691->20664 20692->20669 20693->20675 20694->20684 20696 a3264c 20695->20696 20703 a3a1f0 20696->20703 20699 a32670 20700 a32684 20699->20700 20702 a31c3a EqualPrefixSid 20700->20702 20771 a3b2c0 40 API calls std::_Throw_Cpp_error 20700->20771 20702->20606 20712 a3a330 20703->20712 20707 a3a232 20728 a3a3c0 20707->20728 20709 a3a248 20710 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20709->20710 20711 a31c32 20710->20711 20711->20699 20734 a40eb0 20712->20734 20715 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20716 a3a21d 20715->20716 20717 a3a2a0 20716->20717 20718 a3a2fb 20717->20718 20719 a3a2bb 20717->20719 20720 a41185 std::ios_base::_Init 16 API calls 20718->20720 20719->20718 20721 a3a2cc 20719->20721 20722 a3a30c 20720->20722 20743 a41185 20721->20743 20756 a3a490 135 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 20722->20756 20725 a3a2ed 20725->20707 20729 a3a3d4 20728->20729 20730 a3a3e8 20729->20730 20769 a3b2c0 40 API calls std::_Throw_Cpp_error 20729->20769 20732 a3a401 20730->20732 20770 a3b2c0 40 API calls std::_Throw_Cpp_error 20730->20770 20732->20709 20739 a40f00 20734->20739 20737 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20738 a3a35d 20737->20738 20738->20715 20740 a40f29 20739->20740 20741 a411f9 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20740->20741 20742 a40ee0 20741->20742 20742->20737 20746 a4118a 20743->20746 20745 a3a2dd 20755 a3a450 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20745->20755 20746->20745 20748 a411a6 20746->20748 20757 a4e3ac 20746->20757 20764 a4a7ef EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 20746->20764 20749 a43ac2 std::ios_base::_Init 20748->20749 20751 a411b0 Concurrency::cancel_current_task 20748->20751 20766 a44d23 RaiseException 20749->20766 20765 a44d23 RaiseException 20751->20765 20752 a43ade 20754 a41ccf 20755->20725 20756->20725 20759 a504c1 __dosmaperr 20757->20759 20758 a504ff 20768 a4c664 14 API calls __dosmaperr 20758->20768 20759->20758 20760 a504ea RtlAllocateHeap 20759->20760 20767 a4a7ef EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 20759->20767 20760->20759 20762 a504fd 20760->20762 20762->20746 20764->20746 20765->20754 20766->20752 20767->20759 20768->20762 20908 a4113a 78 API calls std::_Throw_Cpp_error 20818 a3a800 50 API calls 20909 a3cf00 62 API calls 20910 a41100 48 API calls 2 library calls 20820 a47a0c 15 API calls 2 library calls 20821 a55c0c 42 API calls 3 library calls 20912 a4d915 36 API calls 2 library calls 20913 a35510 95 API calls 3 library calls 20914 a3ad10 39 API calls 20828 a5e81f 20 API calls 20832 a33260 30 API calls 20833 a36860 49 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 20834 a3be60 62 API calls 20835 a55463 11 API calls __Getctype 20837 a4306b 68 API calls 20921 a44974 60 API calls 2 library calls 20922 a44b74 21 API calls std::locale::_Setgloballocale 20926 a5237c LeaveCriticalSection std::_Lockit::~_Lockit 20841 a4e644 66 API calls _Fputc 20842 a45440 40 API calls 5 library calls 20931 a41942 9 API calls 3 library calls 20933 a42f4f 70 API calls 20846 a5e448 43 API calls 2 library calls 20934 a44355 DecodePointer 20848 a32450 103 API calls 20935 a4f557 55 API calls 2 library calls 20936 a34950 98 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 20937 a3cf50 134 API calls 3 library calls 20849 a4d45d 68 API calls ___scrt_uninitialize_crt 20852 a42a5a 31 API calls 20941 a5595a 44 API calls 3 library calls

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 00A6C19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A6C110,00A6C100), ref: 00A6C334
                                                                                                                                                                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00A6C347
                                                                                                                                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 00A6C365
                                                                                                                                                                                                                                                                    • ReadProcessMemory.KERNELBASE(0000009C,?,00A6C154,00000004,00000000), ref: 00A6C389
                                                                                                                                                                                                                                                                    • VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 00A6C3B4
                                                                                                                                                                                                                                                                    • WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 00A6C40C
                                                                                                                                                                                                                                                                    • WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 00A6C457
                                                                                                                                                                                                                                                                    • WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 00A6C495
                                                                                                                                                                                                                                                                    • Wow64SetThreadContext.KERNEL32(000000A0,009B0000), ref: 00A6C4D1
                                                                                                                                                                                                                                                                    • ResumeThread.KERNELBASE(000000A0), ref: 00A6C4E0
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                                    • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                                                                    • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                    • Instruction ID: 7eefb28598346a04924cf218df0d3791f668558316d46156d77bb15a61d9a262
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A1B1E87664064AAFDB60CF68CC80BEA73B5FF88724F158114EA48AB341D774FA51CB94
                                                                                                                                                                                                                                                                    Function 00A31870 Relevance: 9.2, APIs: 6, Instructions: 162fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: File$CloseCreateHandleSize
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1378416451-0
                                                                                                                                                                                                                                                                    • Opcode ID: ea2d9652761a4a2b0dbb152704a2aa717950c4bad43ccbdbb5767276aae9c517
                                                                                                                                                                                                                                                                    • Instruction ID: 7bd169f6b5d4cb7f9e3ca0e0d4bc57365d411132a373c2f555763b09920e3493
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea2d9652761a4a2b0dbb152704a2aa717950c4bad43ccbdbb5767276aae9c517
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1719FB4D04248CFDB10EFA8D599B9DBBF0BF48304F108929E499AB351E774A985CF52
                                                                                                                                                                                                                                                                    Function 00A37D50 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 60 a37d50-a37db5 61 a37df0-a37e13 call a360a0 60->61 62 a37dbb-a37dcc 60->62 67 a37e2a-a37e42 61->67 68 a37e19-a37e25 61->68 64 a37dd2-a37dde 62->64 65 a37de4-a37dea 62->65 64->65 65->61 70 a37e9b 67->70 71 a37e48-a37e58 67->71 69 a37ea0-a37fe0 call a4e850 call a4e384 call a4e850 call a33fa0 call a360c0 call a33fd0 call a361d0 call a36270 call a36230 call a33fa0 call a36290 call a33fd0 call a363a0 call a363d0 68->69 103 a38013-a3801a 69->103 104 a37fe6-a38011 call a38910 call a36270 69->104 70->69 71->70 72 a37e5e-a37e6f 71->72 74 a37e75-a37e86 72->74 75 a37e8c-a37e95 72->75 74->70 74->75 75->70 106 a38141-a3815a call a31d90 call a36500 103->106 107 a38020-a38029 103->107 104->103 121 a38160-a38170 call a36500 106->121 122 a38176-a38180 106->122 110 a38040-a38046 107->110 111 a3802f-a3803b 107->111 112 a3804c-a3806c call a36270 110->112 111->112 120 a38072-a38086 112->120 123 a380c7-a380cf 120->123 124 a3808c-a380a1 120->124 121->122 136 a38185-a38190 call a36500 121->136 126 a38196-a381b0 call a360a0 122->126 129 a380d5-a3813c 123->129 130 a380da-a38122 call a363f0 123->130 124->123 127 a380a7-a380c1 124->127 138 a382a1-a382ab 126->138 139 a381b6-a381c0 126->139 127->123 129->106 144 a38137 130->144 145 a38128-a38131 130->145 136->126 141 a382b1-a38399 call a36270 call a365a0 call a36520 138->141 142 a3839e-a38424 call a36270 call a365a0 138->142 139->138 140 a381c6-a3829c call a36520 call a36270 call a365a0 139->140 162 a3842c-a384a2 call a36270 call a365a0 140->162 159 a38427 141->159 142->159 144->120 145->144 159->162 168 a384a7-a3854c call a36630 call a36520 call a31e40 * 2 call a411f9 162->168
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _strcspn
                                                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                                                    • API String ID: 3709121408-2766056989
                                                                                                                                                                                                                                                                    • Opcode ID: 6ea36293c46e22584c8110b37355779ed109d54f6446bfbe7deb00621a45d3bf
                                                                                                                                                                                                                                                                    • Instruction ID: fead2febba97c2dc573c8d96e5571cbed81c7c36dc7c6e29d90f02e2e90c3794
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ea36293c46e22584c8110b37355779ed109d54f6446bfbe7deb00621a45d3bf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8732C4B59042698FCB24DF64C981ADEFBF1BF49300F0585AAE849A7301D734AE85CF91
                                                                                                                                                                                                                                                                    Function 00A31710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ConsoleFreeProtectVirtual
                                                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                                                    • API String ID: 621788221-2766056989
                                                                                                                                                                                                                                                                    • Opcode ID: d9974b528808af9e425b918f8e439a0f31d21795c0a40a109f8b3b2d11dece9d
                                                                                                                                                                                                                                                                    • Instruction ID: c3ba24ed3e37d770e60751a12c269d71395fb6e2b40e626d534cdd7cf18c4542
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9974b528808af9e425b918f8e439a0f31d21795c0a40a109f8b3b2d11dece9d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1741CEB0D00308DFCB04DFA9E98969EBBF0BF48354F118829E458AB350D775A945CF95
                                                                                                                                                                                                                                                                    Function 00A57FBC Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 195 a57fbc-a57fde 196 a57fe4-a57fe6 195->196 197 a581d1 195->197 198 a58012-a58035 196->198 199 a57fe8-a58007 call a4cef8 196->199 200 a581d3-a581d7 197->200 202 a58037-a58039 198->202 203 a5803b-a58041 198->203 206 a5800a-a5800d 199->206 202->203 205 a58043-a58054 202->205 203->199 203->205 207 a58067-a58077 call a582e9 205->207 208 a58056-a58064 call a56d6c 205->208 206->200 213 a580c0-a580d2 207->213 214 a58079-a5807f 207->214 208->207 217 a580d4-a580da 213->217 218 a58129-a58149 WriteFile 213->218 215 a58081-a58084 214->215 216 a580a8-a580be call a58366 214->216 219 a58086-a58089 215->219 220 a5808f-a5809e call a5872d 215->220 238 a580a1-a580a3 216->238 224 a58115-a58122 call a58795 217->224 225 a580dc-a580df 217->225 222 a58154 218->222 223 a5814b-a58151 GetLastError 218->223 219->220 228 a58169-a5816c 219->228 220->238 232 a58157-a58162 222->232 223->222 237 a58127 224->237 226 a58101-a58113 call a58959 225->226 227 a580e1-a580e4 225->227 245 a580fc-a580ff 226->245 233 a5816f-a58171 227->233 234 a580ea-a580f7 call a58870 227->234 228->233 239 a58164-a58167 232->239 240 a581cc-a581cf 232->240 241 a58173-a58178 233->241 242 a5819f-a581ab 233->242 234->245 237->245 238->232 239->228 240->200 246 a58191-a5819a call a4c6f0 241->246 247 a5817a-a5818c 241->247 248 a581b5-a581c7 242->248 249 a581ad-a581b3 242->249 245->238 246->206 247->206 248->206 249->197 249->248
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A58366: GetConsoleOutputCP.KERNEL32(21859835,00000000,00000000,?), ref: 00A583C9
                                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00A48191,?,00A483F3), ref: 00A58141
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00A48191,?,00A483F3,?,00A483F3,?,?,?,?,?,?,?,?,?,?), ref: 00A5814B
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2915228174-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2df77a1f396b5a44e49dab3ac1b3e899056ce44b416a715f5163676bac685a31
                                                                                                                                                                                                                                                                    • Instruction ID: 6234a253ac205804f061051d781025ff7d22a1b5808dcefa7fdb1fddbb649fea
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2df77a1f396b5a44e49dab3ac1b3e899056ce44b416a715f5163676bac685a31
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1761C171900119AFDF11DFA8DD84AEEBBB9BF09305F140245ED04B7252DB7AD90ACBA0
                                                                                                                                                                                                                                                                    Function 00A58795 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 252 a58795-a587ea call a44790 255 a587ec 252->255 256 a5885f-a5886f call a411f9 252->256 258 a587f2 255->258 260 a587f8-a587fa 258->260 261 a58814-a58839 WriteFile 260->261 262 a587fc-a58801 260->262 265 a58857-a5885d GetLastError 261->265 266 a5883b-a58846 261->266 263 a58803-a58809 262->263 264 a5880a-a58812 262->264 263->264 264->260 264->261 265->256 266->256 267 a58848-a58853 266->267 267->258 268 a58855 267->268 268->256
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00A58127,?,00A483F3,?,?,?,00000000), ref: 00A58831
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00A58127,?,00A483F3,?,?,?,00000000,?,?,?,?,?,00A48191,?,00A483F3), ref: 00A58857
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 442123175-0
                                                                                                                                                                                                                                                                    • Opcode ID: 87b8472807eb719a5b04c5b1398d5b32a3c5f632aad6b6ae79407f68b99479bc
                                                                                                                                                                                                                                                                    • Instruction ID: ad69ba32371a63401b116d29c805552c09a3ed5602fb08251a904f495cf67b77
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87b8472807eb719a5b04c5b1398d5b32a3c5f632aad6b6ae79407f68b99479bc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B218035A002189FCF19CF5ADD809E9B7BAFF5C346B2444A9E90AE7211DB349D46CB60
                                                                                                                                                                                                                                                                    Function 00A51F19 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 269 a51f19-a51f1e 270 a51f20-a51f38 269->270 271 a51f46-a51f4f 270->271 272 a51f3a-a51f3e 270->272 274 a51f61 271->274 275 a51f51-a51f54 271->275 272->271 273 a51f40-a51f44 272->273 276 a51fbb-a51fbf 273->276 279 a51f63-a51f70 GetStdHandle 274->279 277 a51f56-a51f5b 275->277 278 a51f5d-a51f5f 275->278 276->270 280 a51fc5-a51fc8 276->280 277->279 278->279 281 a51f72-a51f74 279->281 282 a51f9d-a51faf 279->282 281->282 284 a51f76-a51f7f GetFileType 281->284 282->276 283 a51fb1-a51fb4 282->283 283->276 284->282 285 a51f81-a51f8a 284->285 286 a51f92-a51f95 285->286 287 a51f8c-a51f90 285->287 286->276 288 a51f97-a51f9b 286->288 287->276 288->276
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00A51E08,00A6B810), ref: 00A51F65
                                                                                                                                                                                                                                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00A51E08,00A6B810), ref: 00A51F77
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileHandleType
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3000768030-0
                                                                                                                                                                                                                                                                    • Opcode ID: 379e80e47e46a2314b24a1f8ccbb9e153e425a3ea28f51952257ff045aa09e89
                                                                                                                                                                                                                                                                    • Instruction ID: 7bc78f948851c04f2c95545ab06511b6f2a356d5c8dae8c6fb0caa7600dedefa
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 379e80e47e46a2314b24a1f8ccbb9e153e425a3ea28f51952257ff045aa09e89
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE116D712087414AC7308B2E8CC8732BAA4B756332B38071BE9B7961F1D770D98ED641
                                                                                                                                                                                                                                                                    Function 00A31B80 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32 ref: 00A31BA8
                                                                                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32 ref: 00A31BC8
                                                                                                                                                                                                                                                                      • Part of subcall function 00A31870: CreateFileA.KERNELBASE ref: 00A318F3
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileModule$CreateHandleName
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2828212432-0
                                                                                                                                                                                                                                                                    • Opcode ID: 0d65ca37f8ae215230f77a73705f2472e87187cf7a0b7b958a9bad15386064f8
                                                                                                                                                                                                                                                                    • Instruction ID: 8b583a4d9cfeeade0043e4a118c4c25a0835bef4751476deed4fabc82f027b3e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d65ca37f8ae215230f77a73705f2472e87187cf7a0b7b958a9bad15386064f8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5F0BDB59042088FC754EFB8D94579DBBF4AB54300F4185ADE5C9D7250EAB499888F82
                                                                                                                                                                                                                                                                    Function 00A50487 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 294 a50487-a50490 295 a50492-a504a5 RtlFreeHeap 294->295 296 a504bf-a504c0 294->296 295->296 297 a504a7-a504be GetLastError call a4c6ad call a4c664 295->297 297->296
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,00A546B0,?,00000000,?,?,00A54350,?,00000007,?,?,00A54C96,?,?), ref: 00A5049D
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00A546B0,?,00000000,?,?,00A54350,?,00000007,?,?,00A54C96,?,?), ref: 00A504A8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 485612231-0
                                                                                                                                                                                                                                                                    • Opcode ID: c3e10fc63337fbe1bd721dad5163e3edac03756f751db7a1ebdcd14cfdb9fb64
                                                                                                                                                                                                                                                                    • Instruction ID: 4845ca3d1fb03ed88d516cb76e0634a4084de5244c875fd45ce5315a909f7181
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3e10fc63337fbe1bd721dad5163e3edac03756f751db7a1ebdcd14cfdb9fb64
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3E08631200704AFCF11ABE0ED09F957A78AB51751F158021FB0C96060CAB98841CB84
                                                                                                                                                                                                                                                                    Function 00A4294E Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 302 a4294e-a42968 303 a42971-a42979 302->303 304 a4296a-a4296c 302->304 306 a4299a-a4299e 303->306 307 a4297b-a42985 303->307 305 a42a4a-a42a57 call a411f9 304->305 308 a429a4-a429b5 call a431de 306->308 309 a42a46 306->309 307->306 314 a42987-a42998 307->314 318 a429b7-a429bb 308->318 319 a429bd-a429f1 308->319 313 a42a49 309->313 313->305 317 a42a13-a42a15 314->317 317->313 320 a42a04 call a42305 318->320 325 a42a17-a42a1f 319->325 326 a429f3-a429f6 319->326 324 a42a09-a42a10 320->324 324->317 328 a42a34-a42a44 325->328 329 a42a21-a42a32 call a4df69 325->329 326->325 327 a429f8-a429fc 326->327 327->309 330 a429fe-a42a01 327->330 328->313 329->309 329->328 330->320
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 536dff3a75b9e63649eddb666f23cb77ebeb12d457f1b3273b2892e7a68abd08
                                                                                                                                                                                                                                                                    • Instruction ID: 308b1cd5409541ad980682529e74eb433fa9509c4335579bb30f611e2cdcf753
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 536dff3a75b9e63649eddb666f23cb77ebeb12d457f1b3273b2892e7a68abd08
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B31853690011AAFCF14CFA8C990AEDB7B9FF49360B640269F911E7691D731E954CB50
                                                                                                                                                                                                                                                                    Function 00A41A88 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A419F9: GetModuleHandleExW.KERNEL32(00000002,00000000,00A3E1E1,?,?,00A419BC,?,?,00A4198D,?,?,?,00A3E1E1), ref: 00A41A05
                                                                                                                                                                                                                                                                    • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,21859835,?,?,?,00A60244,000000FF), ref: 00A41AEF
                                                                                                                                                                                                                                                                      • Part of subcall function 00A3B1F0: std::_Throw_Cpp_error.LIBCPMT ref: 00A3B21C
                                                                                                                                                                                                                                                                      • Part of subcall function 00A3B1F0: std::_Throw_Cpp_error.LIBCPMT ref: 00A3B238
                                                                                                                                                                                                                                                                      • Part of subcall function 00A4386F: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00A3B2B9,?,00A3F9C2), ref: 00A43884
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_$CallbackExclusiveFreeHandleLibraryLockModuleReleaseReturnsWhen
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1423221283-0
                                                                                                                                                                                                                                                                    • Opcode ID: 75cb13df71ca6a83852fe2f95912f87551be1ba37af24039ec8f796bb262e21f
                                                                                                                                                                                                                                                                    • Instruction ID: c0ac40b1956a9397150844bbc2feff6b5372e59571d498a89e14a199ef7cf30e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75cb13df71ca6a83852fe2f95912f87551be1ba37af24039ec8f796bb262e21f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA11EB3A600600ABCF15EB66DD15A1E7779FB84760F10451FF506972A1DF75D882CA90
                                                                                                                                                                                                                                                                    Function 00A42940 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 363 a42940-a42945 364 a42947-a4294d call a479f8 363->364 365 a42993-a42999 363->365 367 a4291e-a4292d 365->367 368 a4299b 365->368 370 a4299d-a429a5 368->370 371 a429e9-a429f1 368->371 373 a42a17-a42a1f 371->373 374 a429f3-a429f6 371->374 376 a42a34-a42a44 373->376 377 a42a21-a42a32 call a4df69 373->377 374->373 375 a429f8-a429fc 374->375 379 a42a46 375->379 380 a429fe-a42a04 call a42305 375->380 378 a42a49-a42a57 call a411f9 376->378 377->376 377->379 379->378 387 a42a09-a42a15 380->387 387->378
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3988221542-0
                                                                                                                                                                                                                                                                    • Opcode ID: 3209e58e41a67410d8c75b0e42afee37aa5693b2064299b3f199b04b3aae5b07
                                                                                                                                                                                                                                                                    • Instruction ID: 78daa0afa39e92ce4f19e2eebaf40d58c6fc8ba70e52424af3bde574858b5616
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3209e58e41a67410d8c75b0e42afee37aa5693b2064299b3f199b04b3aae5b07
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B801D13A60824A0ADB65DB78A9697A8BB20EFC6374BA441BFE452980D2CB224855C710
                                                                                                                                                                                                                                                                    Function 00A31C00 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: EqualPrefix
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 447727826-0
                                                                                                                                                                                                                                                                    • Opcode ID: de5df2a5eabbd1bae3ccc7f64b71df353aa97e5d6ce72a51c1dea285e90073c1
                                                                                                                                                                                                                                                                    • Instruction ID: f0e3ca450dc86970ddb2f375bb9b4689368330b802c98b8881b4d83a576a19c5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de5df2a5eabbd1bae3ccc7f64b71df353aa97e5d6ce72a51c1dea285e90073c1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC01C974914209DFCB00EFA8DA567AEBBF4FF14304F40456DE459A7351EB74AA08CB92
                                                                                                                                                                                                                                                                    Function 00A504C1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 399 a504c1-a504cd 400 a504ff-a5050a call a4c664 399->400 401 a504cf-a504d1 399->401 409 a5050c-a5050e 400->409 402 a504d3-a504d4 401->402 403 a504ea-a504fb RtlAllocateHeap 401->403 402->403 405 a504d6-a504dd call a4d224 403->405 406 a504fd 403->406 405->400 411 a504df-a504e8 call a4a7ef 405->411 406->409 411->400 411->403
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00A4119F,?,?,00A331F2,00001000,?,00A3313A), ref: 00A504F3
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                    • Opcode ID: 8e38c2fb32ea316fcdf4e555f3f06463947042e7fd11ebd6ce0039e76a79f743
                                                                                                                                                                                                                                                                    • Instruction ID: 6919fff72b78697c76f7ac98e007357acd5f6d894e7a229ad26f69e396f5f3c8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e38c2fb32ea316fcdf4e555f3f06463947042e7fd11ebd6ce0039e76a79f743
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6E0ED3128022197DB3167B1EC01F5B3AB8BF827B2F118121EE09E6180EE70DC0686A2
                                                                                                                                                                                                                                                                    Function 00A40500 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 414 a40500-a40516 call a3b060 417 a40521 call a41da0 414->417 418 a4051c 414->418 419 a40526-a40536 call a3b090 call a40790 417->419 418->419 423 a40539-a40540 419->423
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00A40521
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 118556049-0
                                                                                                                                                                                                                                                                    • Opcode ID: e661e17063f482c27c2836dd3bd1e7e1a569301e29a1a9b0824203d682e51f04
                                                                                                                                                                                                                                                                    • Instruction ID: 5cc9f21c2c333a704ec873772414d15625c9f0393401e98ede9a92828ee1f33c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e661e17063f482c27c2836dd3bd1e7e1a569301e29a1a9b0824203d682e51f04
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7EE04F74C0020CAFCB04EFA4D24196EB7B5AF80310F1080A9E94597361DB319E44DF52
                                                                                                                                                                                                                                                                    Function 00A3B9E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00A3BA01
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 118556049-0
                                                                                                                                                                                                                                                                    • Opcode ID: d54092ffe385f37bf38e100b09a46dbf490ab7c81b07d1c2ddcf268f775d5759
                                                                                                                                                                                                                                                                    • Instruction ID: b16d8139071842581801e533fe82fd7154823e35459c172ed9ce34b14ac01dfe
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d54092ffe385f37bf38e100b09a46dbf490ab7c81b07d1c2ddcf268f775d5759
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00E08C30D1020CEFCB08EFA8D28159DBBB6AF80344F1040E9FA096B321EB329E40CB51

                                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                                    Function 00A5BA42 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __floor_pentium4
                                                                                                                                                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                                    • Opcode ID: eceb8083c3c2e9180e6651266d2ec05b2c4ff94b0db40682f2b6cf2281507944
                                                                                                                                                                                                                                                                    • Instruction ID: 00645ec6b3893e62ad33932b71001886bdc4f5341523f5dc60a5204a894a57b1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eceb8083c3c2e9180e6651266d2ec05b2c4ff94b0db40682f2b6cf2281507944
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AD22871E082288FDB65CF28DD407EAB7B5FB44316F1541EAD80DA7244E778AE898F41
                                                                                                                                                                                                                                                                    Function 00A55DD3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,00A557A4,00000002,00000000,?,?,?,00A557A4,?,00000000), ref: 00A55E6C
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,00A557A4,00000002,00000000,?,?,?,00A557A4,?,00000000), ref: 00A55E95
                                                                                                                                                                                                                                                                    • GetACP.KERNEL32(?,?,00A557A4,?,00000000), ref: 00A55EAA
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                                    • Opcode ID: a307193462bc4244193a133a713ebb3bfd7243c061d45f13c62c8ac998213738
                                                                                                                                                                                                                                                                    • Instruction ID: 0785ada9b597e0cda458d9bce4fbd320f0c645b81e58fbe083fb8c507006f8cf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a307193462bc4244193a133a713ebb3bfd7243c061d45f13c62c8ac998213738
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79215132E00900AADB25CF74C926A9772B7FF54F66B568424ED0AD7100E732EF49C790
                                                                                                                                                                                                                                                                    Function 00A5566E Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00A55776
                                                                                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 00A557B4
                                                                                                                                                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00A557C7
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00A5580F
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00A5582A
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 415426439-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2c316ee1064c36c4f2857a873b73caef2c1b63ba311990348056b9034c0af5e3
                                                                                                                                                                                                                                                                    • Instruction ID: 1f91a7b5769d1c18d2fd89f8a18038650cbd8ba016b0d8a80ede1dc0659cb293
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c316ee1064c36c4f2857a873b73caef2c1b63ba311990348056b9034c0af5e3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1515E71E00A09EFDB10DFB5CD55AAE77B8FF18702F184469ED11EB190E7709A488B61
                                                                                                                                                                                                                                                                    Function 00A4E930 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                                                                    • Instruction ID: 3cff01f30193feb01c3b31eefbfdb9fc31d7464c4259e360f59f6e3998d8d1fc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A023A75E002199BDF14CFA9D980AAEFBF1FF88314F258269D919E7381D731A941CB90
                                                                                                                                                                                                                                                                    Function 00A563B5 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00A564A5
                                                                                                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00A56599
                                                                                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00A565D8
                                                                                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00A5660B
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1164774033-0
                                                                                                                                                                                                                                                                    • Opcode ID: ca8c5cb77d574ac2a685311da9ed63dc187f9671e88c8cf77eca88dbe603b9e6
                                                                                                                                                                                                                                                                    • Instruction ID: 4f4add12e3eb23355a4bd3dbc2b5645fa7fe600a4525a3c42b87f8baab3bd47b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca8c5cb77d574ac2a685311da9ed63dc187f9671e88c8cf77eca88dbe603b9e6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D7108B1D45158AFDF20EF28CD89ABEBBB4BF05302F9441D9E849A7211DA314E89CF10
                                                                                                                                                                                                                                                                    Function 00A44073 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A4407F
                                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00A4414B
                                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A44164
                                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00A4416E
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                                                                                    • Opcode ID: 085a8a0930d8482e3bf9560291706a30b18a17a9ec5da54477d5a1e8c475b7a1
                                                                                                                                                                                                                                                                    • Instruction ID: 7db986a60308338de294d1c46d515e05744759defa0aba995bf2272c2df3741b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 085a8a0930d8482e3bf9560291706a30b18a17a9ec5da54477d5a1e8c475b7a1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F312879D012189BDF20DFA4D9497CDBBB8AF58300F1041AAE50CAB250EBB59B858F45
                                                                                                                                                                                                                                                                    Function 00A5595A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A559AE
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A559F8
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A55ABE
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 661929714-0
                                                                                                                                                                                                                                                                    • Opcode ID: 246d82631bf52521b713b4ee94d750fa8ab7c898db72705579523f19793ae4e9
                                                                                                                                                                                                                                                                    • Instruction ID: 7dd884c19406cd23a38c94b4d0b5a5758fe8a89442365db0e71263945b05db56
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 246d82631bf52521b713b4ee94d750fa8ab7c898db72705579523f19793ae4e9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3161AF71910A179FDB289F38CDA6BAA77B8FF04352F1041A9EE05C6181F774D989CB50
                                                                                                                                                                                                                                                                    Function 00A4CDB0 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00A4CEA8
                                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A4CEB2
                                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00A4CEBF
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                    • Opcode ID: f7ed95f6243143fb22961cfeb29406c37656cd34486fa9e9ef44444d90ebf24a
                                                                                                                                                                                                                                                                    • Instruction ID: 9942658d785b840f0442594a7a382e366c82f65f4e2034db47861c468fb359e0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f7ed95f6243143fb22961cfeb29406c37656cd34486fa9e9ef44444d90ebf24a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5831037990122C9BCB21DF68DD8978CBBB8BF58310F5041EAE80CA7250E7709F858F45
                                                                                                                                                                                                                                                                    Function 00A447EF Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,00A43918,00A4386B,?,?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A44827
                                                                                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?,21859835,?,?,00A60227,000000FF,?,00A44534,?,?,?,?,00A44558,00000000,?), ref: 00A4482B
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Time$FileSystem$Precise
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 743729956-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2ed45336c9baa92c45adb00641d2b5a090400de41b56ea2552370bdd1af6bed8
                                                                                                                                                                                                                                                                    • Instruction ID: b581a829ccaa783e5835c43e6a0286b5465764eae42df213fb3e82b71bf4959f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ed45336c9baa92c45adb00641d2b5a090400de41b56ea2552370bdd1af6bed8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3F0307AA44554EFC701DF94EC45B99B7B8FB48B10F00462AE812A36A0DB7569018B91
                                                                                                                                                                                                                                                                    Function 00A59C73 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A59BCE,?,?,00000008,?,?,00A6005B,00000000), ref: 00A59EA0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionRaise
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3997070919-0
                                                                                                                                                                                                                                                                    • Opcode ID: 30c11814b007d041745eac8b1589ba2f6a075615600900ff79193b283f06c9ec
                                                                                                                                                                                                                                                                    • Instruction ID: aecfdb7bd3019da87b431b2ac5b5acc396619a581f0557e2f50d554f93af53e5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30c11814b007d041745eac8b1589ba2f6a075615600900ff79193b283f06c9ec
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AB11A32210609DFD715CF28C486B667BE1FF45365F298658EC9ACF2A2C335E995CB40
                                                                                                                                                                                                                                                                    Function 00A43CDF Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A43CF5
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                                                                                                                                                    • Opcode ID: 53b275329cefb0899d6cfdda27b9407eb13ab8f8698344a7a7f1077ec125c071
                                                                                                                                                                                                                                                                    • Instruction ID: 4e2985f5383f1da5c7e76ba1d5524a9bb41cc25cd4d87703b8f92ee553b43f3e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53b275329cefb0899d6cfdda27b9407eb13ab8f8698344a7a7f1077ec125c071
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08A194B6E11605CFDB19CFA4D8856ADBBF0FB88364F14862AD412EB360D3B49942CF51
                                                                                                                                                                                                                                                                    Function 00A49B40 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                    • Opcode ID: 7154025e210941d3bf61779e9480c4e7cdd7c4069b25ec86fa4e4499e9f81076
                                                                                                                                                                                                                                                                    • Instruction ID: 5dd3a36384f5df2a2aaf5a5c4b78682f0d703a54d208a5a8e9bb814d3659322f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7154025e210941d3bf61779e9480c4e7cdd7c4069b25ec86fa4e4499e9f81076
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EFC1BA789006068FCB28CF68C5C5ABBBBF5EFC5310F144A19D89297692C731AD66CB51
                                                                                                                                                                                                                                                                    Function 00A55C0C Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A55C60
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                    • Opcode ID: f36368732e4bc0a07d74ec370530624686eb871bb5ff959f603a52fa01761730
                                                                                                                                                                                                                                                                    • Instruction ID: 3a51860d2bdad75de5fa4bd90f954b962410d0a6b47531656a8b81b4aa1a3756
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f36368732e4bc0a07d74ec370530624686eb871bb5ff959f603a52fa01761730
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C218072A11706ABDB289B29DD52E7A73A8FF45312B10006EFD02D6281EB74AD488B50
                                                                                                                                                                                                                                                                    Function 00A48741 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                    • Opcode ID: ec13e487f9327cea3a923fcb98982eca4c9123f6bf4b185c931b75a232e6e8cd
                                                                                                                                                                                                                                                                    • Instruction ID: c12d40d3ec9e35886abb6235b9888a0ea46f432b0d9a0d64a102309b57a497a1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec13e487f9327cea3a923fcb98982eca4c9123f6bf4b185c931b75a232e6e8cd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CFB1073890060A8FCB24CF68E5556BEB7B1AFC4380F64061DD592A7691CF7DDE41CB51
                                                                                                                                                                                                                                                                    Function 00A558BF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00A5595A,00000001,00000000,?,-00000050,?,00A5574A,00000000,-00000002,00000000,?,00000055,?), ref: 00A55931
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                    • Opcode ID: 5212c18e8e5a8f5e29df602fd9a12202838f6950d66a0a1861ee435e9a3ee378
                                                                                                                                                                                                                                                                    • Instruction ID: 193a0d229cbf081bd91a64f25b6f45d780270f8201922599f95a628b77bfb5e9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5212c18e8e5a8f5e29df602fd9a12202838f6950d66a0a1861ee435e9a3ee378
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C511293B600B019FDB189F39C8B157AB791FF8432AB14442DED8747A40D375B846CB40
                                                                                                                                                                                                                                                                    Function 00A55D2C Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A55D80
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                    • Opcode ID: b87c7cfba7311c060760e61606e8d4f04a9a6597dc9f7359f36e1d166880edbf
                                                                                                                                                                                                                                                                    • Instruction ID: 24dc2347a41549d35afbbf26eb75bd025d062da4d97ad0ddf7ab8c0ccb3199b0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b87c7cfba7311c060760e61606e8d4f04a9a6597dc9f7359f36e1d166880edbf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2111A373A11506ABD724EB78DD56ABA73B8FF05311B10006AED02D7181EB74E9498B50
                                                                                                                                                                                                                                                                    Function 00A55ED9 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A55B76,00000000,00000000,?), ref: 00A55F05
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                    • Opcode ID: 9fb13fa0f2a0b6b5ecf17172811495f546c79123643195cd2d82ac1b3106a60c
                                                                                                                                                                                                                                                                    • Instruction ID: baab440272cf66cd803b32f1b003a3ff7edb96cdc1d63ebeb3a55496d890f684
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fb13fa0f2a0b6b5ecf17172811495f546c79123643195cd2d82ac1b3106a60c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5301F932E04512FBDB289B75CC15BBA3769FB40755F158468EC42A31C0EA70FE4DC690
                                                                                                                                                                                                                                                                    Function 00A55BAD Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00A55C0C,00000001,?,?,-00000050,?,00A55712,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00A55BF7
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                    • Opcode ID: b8bcbfb1137c221cd414a75ea3ec0e8b84d68560a09c4aa626e65d54b745fcb0
                                                                                                                                                                                                                                                                    • Instruction ID: 2870c19c187909f5e201c0dccafcec1584ab4da082ad0ad5d177f667b138936a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8bcbfb1137c221cd414a75ea3ec0e8b84d68560a09c4aa626e65d54b745fcb0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AEF046367007045FCB249F39C895A7ABBD0FF80329B05842CFD018B690D2B1AC06CA00
                                                                                                                                                                                                                                                                    Function 00A516A7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A4D047: EnterCriticalSection.KERNEL32(?,?,00A4A841,00000000,00A6B3D8,0000000C,00A4A7FA,00001000,?,00A517CA,00001000,?,00A508B1,00000001,00000364,?), ref: 00A4D056
                                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00A5169A,00000001,00A6B7F0,0000000C,00A510A8,-00000050), ref: 00A516DF
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1272433827-0
                                                                                                                                                                                                                                                                    • Opcode ID: 44e3d57dcab6d36886e54c02c20964e92f3a73b1e8e7a706a8e29f5d1c196903
                                                                                                                                                                                                                                                                    • Instruction ID: a8e9da202a812891acbf63a7653e36f78dfbc6f52c754c3c18290685ad50ff01
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 44e3d57dcab6d36886e54c02c20964e92f3a73b1e8e7a706a8e29f5d1c196903
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CF0497AA40204EFD710EF98E802BAD7BF0FB88721F10816AF811DB2A1D7B599458F50
                                                                                                                                                                                                                                                                    Function 00A55CE1 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00A55D2C,00000001,?,?,?,00A5576C,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00A55D18
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                    • Opcode ID: e5fa5cfd54296a426eec4b70f345245db50ad9da68656ac2e72c4a7baccfcd36
                                                                                                                                                                                                                                                                    • Instruction ID: 5c2caf3a7154936fb2934d8c4d9827fde4e2c99e403cf5c4f2294a0aea2faf7a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5fa5cfd54296a426eec4b70f345245db50ad9da68656ac2e72c4a7baccfcd36
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6F0E53BB0020967CB14DF75D869A6ABFA4FFC2716B064059FE058B290C6B1A846CB90
                                                                                                                                                                                                                                                                    Function 00A511AC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00A4BDA3,?,20001004,00000000,00000002,?,?,00A4ACB5), ref: 00A511E0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4757d0d3f5fe94b6816257436aedf3f4a3384a32e2bb8dd568007ea727b514bc
                                                                                                                                                                                                                                                                    • Instruction ID: c6db39c7c649e8a946a971a41747fb55b050d298c67777a57f9761e90fa73dab
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4757d0d3f5fe94b6816257436aedf3f4a3384a32e2bb8dd568007ea727b514bc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1E04F31500518BBCF126FA1DC08FAE3E36FF44762F004114FD0665120CB728921EA91
                                                                                                                                                                                                                                                                    Function 00A44067 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00014188), ref: 00A4406C
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                    • Opcode ID: f21c02a481ece4f84de1026e35d3651ddfa032472a209566be79dee4761cf5f8
                                                                                                                                                                                                                                                                    • Instruction ID: 630c0a8cbbe2ad915a5896b6eaac61d4255710ce226d6c175a86c0cd8d203634
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f21c02a481ece4f84de1026e35d3651ddfa032472a209566be79dee4761cf5f8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                    Function 00A51DBC Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                                                                                                    • Opcode ID: 624544e35f6a3aae1cb3324dd9dc7fb742256d13249d28312a060148f51a11a4
                                                                                                                                                                                                                                                                    • Instruction ID: 6a4360b12103952d113e41947d71d3d87586e0d187f886eb603bffbcb48992a7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 624544e35f6a3aae1cb3324dd9dc7fb742256d13249d28312a060148f51a11a4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17A01130200200CF8300CFB2AA082083AB8AA0A2C03088028E00AC0020EAA08082AF02
                                                                                                                                                                                                                                                                    Function 00A31000 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3026400409dd19f82648a46301355a653e602f0ba6784b482f3560ce1677cd7b
                                                                                                                                                                                                                                                                    • Instruction ID: 49117937cb032b8a239a7e64e290dbb47c429b488ccf26c9560a401f61ec132b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3026400409dd19f82648a46301355a653e602f0ba6784b482f3560ce1677cd7b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA518AB4E0020D9FCB44DFA8D6919EEBBF4AB09350F24555AE815FB310E734AA41CB65
                                                                                                                                                                                                                                                                    Function 00A316A0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f44009c1bbf8510130832d4919485b7ac09464441c4c7ae25fa9bfd1a5422065
                                                                                                                                                                                                                                                                    • Instruction ID: 7219c0a352b3665d5bfdc24dd3a0b926fb25eac10b085a266d87a00cf026a15b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f44009c1bbf8510130832d4919485b7ac09464441c4c7ae25fa9bfd1a5422065
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7DD0923A641A58AFC210CF89E444D41F7B8FB8D670B158566EA1893B20D371FC12CAE0
                                                                                                                                                                                                                                                                    Function 00A5EDF2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 127012223-0
                                                                                                                                                                                                                                                                    • Opcode ID: 124ad8c9aaef9ad0ab1908463242859732025eac947011b5ad8c068767e7d852
                                                                                                                                                                                                                                                                    • Instruction ID: aa679ff6bb92d3010410c9366f009ed57e596d15e509477c78a26d9907f4d915
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 124ad8c9aaef9ad0ab1908463242859732025eac947011b5ad8c068767e7d852
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9710672900219AFDF24DF64CD42BAE77B9BF49312F290069FD04A7182EB75DE098761
                                                                                                                                                                                                                                                                    Function 00A445A9 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00A445F0
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A4461C
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00A4465B
                                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A44678
                                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A446B7
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A446D4
                                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A44716
                                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A44739
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2040435927-0
                                                                                                                                                                                                                                                                    • Opcode ID: b4b469b1729a78c73cbd73042c0e545ad09fbd8f17eacaf952ca5e99e5965d33
                                                                                                                                                                                                                                                                    • Instruction ID: bfbf72bcf1626c93fe28a7646ff72a0099cda791ec58ba9858a926af9600761d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4b469b1729a78c73cbd73042c0e545ad09fbd8f17eacaf952ca5e99e5965d33
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7451D27A600206AFEF209FA4CC45FAB7BB9EF89744F254428F915EA190DB70DC118B60
                                                                                                                                                                                                                                                                    Function 00A53332 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _strrchr
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3213747228-0
                                                                                                                                                                                                                                                                    • Opcode ID: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                                                                    • Instruction ID: 552d9ba7ea26705961107acf26209174c3aace67f901099d5cf2c4caa686f57f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92B14773A01255AFDF128F28CC81BAE7BB5FF95792F144155ED05AB382E3709A09C7A0
                                                                                                                                                                                                                                                                    Function 00A45440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00A45477
                                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00A4547F
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00A45508
                                                                                                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00A45533
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00A45588
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 82123d1f18e25221bafdd8c4974108b010c1de40fe650c390865e7b8f1c8dbb9
                                                                                                                                                                                                                                                                    • Instruction ID: 9f34b811560d9d6c58b87d3fbeb3a12939d2c7b743c424a85d01fe9967acce52
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82123d1f18e25221bafdd8c4974108b010c1de40fe650c390865e7b8f1c8dbb9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9941C338E00618ABCF10DF78C884AAE7BB2BF85315F148155E9199B363D771DE46CB91
                                                                                                                                                                                                                                                                    Function 00A513F9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,21859835,?,00A51508,00A331F2,?,00000000,?), ref: 00A514BA
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                                    • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                                    • Opcode ID: 932800cf8454b6342aa60b1f670a3476c56af42137391f40d2506a460231b513
                                                                                                                                                                                                                                                                    • Instruction ID: 7cef5a5e9832b03103f06a373e1df1bcaea75cdab42c3b941464c39eddafc0a8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 932800cf8454b6342aa60b1f670a3476c56af42137391f40d2506a460231b513
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D02135B5A01211ABCB21DBA0EC40B7B3778FB52766F261110EC16A72C1E770ED06CA90
                                                                                                                                                                                                                                                                    Function 00A447BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A447C1
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00A447CF
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00A447E0
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                                    • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                                    • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                                    • Opcode ID: 4a974a3197d5b3ed669ebb7e9f9138c852f8b5f9cd5f7a8b8cd02ef5f43dff97
                                                                                                                                                                                                                                                                    • Instruction ID: c7b076add85213c15f5a8e96fe32c4b55a84ed7b88848074eca77ac85c226e7e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a974a3197d5b3ed669ebb7e9f9138c852f8b5f9cd5f7a8b8cd02ef5f43dff97
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2BD09E765652106FD310DBF4BD4D85A3AB4FA156153010956F903E21A4EBF414438E96
                                                                                                                                                                                                                                                                    Function 00A58F96 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c346ab39e9bbe494ad1ca0719b3d05b44488330975f2379126c6d31327729f77
                                                                                                                                                                                                                                                                    • Instruction ID: cceb23fd5f1c07cfd9a0afbb0bf4c5bb8560fb7e509a482bea9ec71cd962fdb1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c346ab39e9bbe494ad1ca0719b3d05b44488330975f2379126c6d31327729f77
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30B10370A04249EFDB05CF98D981BBEBBB1BF4A311F144258ED14AF292C770994ACB60
                                                                                                                                                                                                                                                                    Function 00A4F2AC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00A4F2A3,00A44E61,00A441CC), ref: 00A4F2BA
                                                                                                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A4F2C8
                                                                                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A4F2E1
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,00A4F2A3,00A44E61,00A441CC), ref: 00A4F333
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                    • Opcode ID: 56d3231e75d1137ab319423273c4c753199d7660f2541a788a12143d842bb5fa
                                                                                                                                                                                                                                                                    • Instruction ID: ee9ce2c224c1d263a4266d1f12cc22b2aa832aa5244ff6286bd7f6dde41cf4a5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56d3231e75d1137ab319423273c4c753199d7660f2541a788a12143d842bb5fa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6801FC3A7093115ED614ABF9BC4999B26E5EB91379730133DF920490F1EFD14C029681
                                                                                                                                                                                                                                                                    Function 00A4FB24 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 00A4FC43
                                                                                                                                                                                                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 00A4FEBC
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                                    • Opcode ID: dc054fc3486babc63264fe7a46eeaec2d9de49331d2548e8282c3d1f3178758e
                                                                                                                                                                                                                                                                    • Instruction ID: 0eedfa2ace80a63077027919893a001ca08e34bd9df0ff88e95c66b0e78eeaf7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc054fc3486babc63264fe7a46eeaec2d9de49331d2548e8282c3d1f3178758e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DB18B39D00209EFCF28DFA4C9819AEBBB5FF84315F10516AE800AB216D775DA51CFA1
                                                                                                                                                                                                                                                                    Function 00A4A53C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,21859835,?,?,00000000,00A60244,000000FF,?,00A4A5FD,00A4A4E4,?,00A4A699,00000000), ref: 00A4A571
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A4A583
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00A60244,000000FF,?,00A4A5FD,00A4A4E4,?,00A4A699,00000000), ref: 00A4A5A5
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                    • Opcode ID: ca3d58b7eaaeaf3a5cf6e253794c321384b9ccbf257f2ffc447b0d6bad87abd7
                                                                                                                                                                                                                                                                    • Instruction ID: 8bf59f53c9ef0e3c210ad1975933a2b948ec8871c9606ec8a176afc994bfb91d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca3d58b7eaaeaf3a5cf6e253794c321384b9ccbf257f2ffc447b0d6bad87abd7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE01D675A40615BFCB01CF90CC09FAEBBB8FB54B11F000A25F812A22E0DBB49D01CE92
                                                                                                                                                                                                                                                                    Function 00A51BCD Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A51C52
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A51D1B
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A51D82
                                                                                                                                                                                                                                                                      • Part of subcall function 00A504C1: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A4119F,?,?,00A331F2,00001000,?,00A3313A), ref: 00A504F3
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A51D95
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A51DA2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1423051803-0
                                                                                                                                                                                                                                                                    • Opcode ID: 778fa82297abf9a1a86f0787f680d84cb5bd42e3a320fbc1f0cf0a47e6b31402
                                                                                                                                                                                                                                                                    • Instruction ID: 5a2877d07170399732e66c7bac28a113fe5517ba65da17151d3fd0614bfa21ab
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 778fa82297abf9a1a86f0787f680d84cb5bd42e3a320fbc1f0cf0a47e6b31402
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B519BB2600206ABEB209FA0CD81FBB7BBAFF84712F190528FD04D6151FA75DD588660
                                                                                                                                                                                                                                                                    Function 00A4388E Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00A438A2
                                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A438C1
                                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A438EF
                                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A4394A
                                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A43961
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 66001078-0
                                                                                                                                                                                                                                                                    • Opcode ID: 56333ff92f8f00a7e55fd11b32a0c411b66959806f2ee36a14933031034d37d8
                                                                                                                                                                                                                                                                    • Instruction ID: 2889062e90774ba868bb5e4948644228a1ae711567b0f38544f355f961ae109e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56333ff92f8f00a7e55fd11b32a0c411b66959806f2ee36a14933031034d37d8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C416D3A500A06DFCF20DF66C4A0A6AF3F5FF89350B504A19E456D7642E7B0EA85CF51
                                                                                                                                                                                                                                                                    Function 00A4184C Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 00A41853
                                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00A4185E
                                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00A418CC
                                                                                                                                                                                                                                                                      • Part of subcall function 00A41755: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A4176D
                                                                                                                                                                                                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00A41879
                                                                                                                                                                                                                                                                    • _Yarn.LIBCPMT ref: 00A4188F
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1088826258-0
                                                                                                                                                                                                                                                                    • Opcode ID: ca87baf080c2a2a9008d786442d09a670e7aa9a0602db38de8d382db2f846bbf
                                                                                                                                                                                                                                                                    • Instruction ID: 1a798f75f78d720afff10420397ec98f16472ab0ff022647f656dd0a4d2bdcd5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca87baf080c2a2a9008d786442d09a670e7aa9a0602db38de8d382db2f846bbf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5018F7DA002109BDB06EFA0D9559BC7BB1BFC4750B144449E812573A1EF74AE83CB82
                                                                                                                                                                                                                                                                    Function 00A5AC01 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A5AC9D,00000000,?,00A6EFA0,?,?,?,00A5ABD4,00000004,InitializeCriticalSectionEx,00A64F0C,00A64F14), ref: 00A5AC0E
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00A5AC9D,00000000,?,00A6EFA0,?,?,?,00A5ABD4,00000004,InitializeCriticalSectionEx,00A64F0C,00A64F14,00000000,?,00A5016C), ref: 00A5AC18
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A5AC40
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                                    • Opcode ID: eedf5758b9630d394642f113282cf633c0322270b587b35efc702bf69e36962f
                                                                                                                                                                                                                                                                    • Instruction ID: f31296c0cc80575e9a721034ad1682637a9fada0975c15316fcc48dff362c058
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eedf5758b9630d394642f113282cf633c0322270b587b35efc702bf69e36962f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92E01A30380204BBEB105FE0ED06B593E69BB30B47F154020FD0DA80E1DBB198558A4A
                                                                                                                                                                                                                                                                    Function 00A58366 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetConsoleOutputCP.KERNEL32(21859835,00000000,00000000,?), ref: 00A583C9
                                                                                                                                                                                                                                                                      • Part of subcall function 00A505D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A51D78,?,00000000,-00000008), ref: 00A50632
                                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A5861B
                                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A58661
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00A58704
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2112829910-0
                                                                                                                                                                                                                                                                    • Opcode ID: b36e401f8945bccc9f41b54ba2bcaa6281459ed0656b128790f493036d087ef0
                                                                                                                                                                                                                                                                    • Instruction ID: a7ec67034dbe69ded71d3823052062053c7e4b14da539d90015da31f54909159
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b36e401f8945bccc9f41b54ba2bcaa6281459ed0656b128790f493036d087ef0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9D17875D00248EFCB15CFE8C9809ADBBB5FF48315F28412AE926FB251DA34A946CF50
                                                                                                                                                                                                                                                                    Function 00A4F84B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AdjustPointer
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1740715915-0
                                                                                                                                                                                                                                                                    • Opcode ID: d8de24fbabdcdaf325f203d723a8c6fe8d1322a2fc65881a599d73685d7c83be
                                                                                                                                                                                                                                                                    • Instruction ID: 36ace4a53328c34d7840eabb81e711c0da630e28db448e282da6bd2bec2c4212
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8de24fbabdcdaf325f203d723a8c6fe8d1322a2fc65881a599d73685d7c83be
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C051D27AA04206AFEB298F14D941BAEB7A4FFC4714F141539E80187692D731ED80CB90
                                                                                                                                                                                                                                                                    Function 00A56192 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A505D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A51D78,?,00000000,-00000008), ref: 00A50632
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00A561F6
                                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00A561FD
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00A56237
                                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00A5623E
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1913693674-0
                                                                                                                                                                                                                                                                    • Opcode ID: 925b1d97b3275137c3e4d9d2823feb5574908d68ccd00feab76ad3bf9f67955b
                                                                                                                                                                                                                                                                    • Instruction ID: 527aaa33230b67e2b79b9201f2a10909bf3399f1d27d47395218da7cbcac2880
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 925b1d97b3275137c3e4d9d2823feb5574908d68ccd00feab76ad3bf9f67955b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4221C871A00605AFDB20EFA1898097EB7B9FF90366B508619FD1997111D730EC04CB50
                                                                                                                                                                                                                                                                    Function 00A472A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6907ab1d8a0dcafe39e3d4aaf0a60ac5986fc746dd80b4dc4fb00ff3f295dac8
                                                                                                                                                                                                                                                                    • Instruction ID: 7474863523899d21516c5b8190b67e2207d6ee3a58e52e37327d8ebf62e1926c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6907ab1d8a0dcafe39e3d4aaf0a60ac5986fc746dd80b4dc4fb00ff3f295dac8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1021A179208245AFDB20EFB58D41D6EB7A9FFC03647118624FD199B251EB70FC009BA0
                                                                                                                                                                                                                                                                    Function 00A57588 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00A57590
                                                                                                                                                                                                                                                                      • Part of subcall function 00A505D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A51D78,?,00000000,-00000008), ref: 00A50632
                                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A575C8
                                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A575E8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 158306478-0
                                                                                                                                                                                                                                                                    • Opcode ID: ee643db371e4674cb23497edb7ef41fce1425301bce73ee1eab590572fffa0a9
                                                                                                                                                                                                                                                                    • Instruction ID: 74e4283a5a93d52f8033df276eb4479dade25b650e6eced03d6693bf4a590066
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee643db371e4674cb23497edb7ef41fce1425301bce73ee1eab590572fffa0a9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E1166F25056157EA711A3B56E8DC7F697CFE5939A7100414FD02F1001FEB4CE0985B5
                                                                                                                                                                                                                                                                    Function 00A4328F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 00A43296
                                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00A432A0
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::_Lockit.LIBCPMT ref: 00A3438E
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::~_Lockit.LIBCPMT ref: 00A343B9
                                                                                                                                                                                                                                                                    • codecvt.LIBCPMT ref: 00A432DA
                                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00A43311
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3716348337-0
                                                                                                                                                                                                                                                                    • Opcode ID: ec430a5ad0c6973b16b799b9cfd4374b6a5ed9507fa5afde970550d6773a4738
                                                                                                                                                                                                                                                                    • Instruction ID: 0d572658c69b776425504235605c2c50b540f1a48836b929a56333d030156fb5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec430a5ad0c6973b16b799b9cfd4374b6a5ed9507fa5afde970550d6773a4738
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F01963EA002199BCF05EFA4DA55AEE7771AFD4710F140108F511AB291DFB4AE41CB82
                                                                                                                                                                                                                                                                    Function 00A5F0B0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000), ref: 00A5F0C7
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000,?,?,?,00A5809E,?), ref: 00A5F0D3
                                                                                                                                                                                                                                                                      • Part of subcall function 00A5F124: CloseHandle.KERNEL32(FFFFFFFE,00A5F0E3,?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000,?,?), ref: 00A5F134
                                                                                                                                                                                                                                                                    • ___initconout.LIBCMT ref: 00A5F0E3
                                                                                                                                                                                                                                                                      • Part of subcall function 00A5F105: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A5F0A1,00A5E58C,?,?,00A58758,?,00000000,00000000,?), ref: 00A5F118
                                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000,?), ref: 00A5F0F8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2744216297-0
                                                                                                                                                                                                                                                                    • Opcode ID: b5bd96661b2cff762863a868801b86d714051ead3201e1e027054d6fd43d6f07
                                                                                                                                                                                                                                                                    • Instruction ID: 7bed7a3c634f410985eaccd9d12b7f670dc180826ebaff783b13b7c538eb50f7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5bd96661b2cff762863a868801b86d714051ead3201e1e027054d6fd43d6f07
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4F01C3A541515FFCF229FD5DC089893F3AFB197A2B054520FE0896120E7728821AFA1
                                                                                                                                                                                                                                                                    Function 00A44C10 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A44C22
                                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00A44C31
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00A44C3A
                                                                                                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 00A44C47
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                    • Opcode ID: 00f177b5c8437123f272e32d8b9471302001dd3f6fe6dbc94513ca799df84429
                                                                                                                                                                                                                                                                    • Instruction ID: 6e19a935dbfb3df08f05adede136c2d40f2d53bc3c341e1fff7723d991ff0745
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 00f177b5c8437123f272e32d8b9471302001dd3f6fe6dbc94513ca799df84429
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40F05F74D1020DEBCB00EBF4D94999EBBF4EF2C204B918996E412F7110E774AA459F51
                                                                                                                                                                                                                                                                    Function 00A54D72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00A4AB4D,?,?,?,00000055,?,-00000050,?,?,?), ref: 00A54E31
                                                                                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00A4AB4D,?,?,?,00000055,?,-00000050,?,?), ref: 00A54E68
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                                                    • String ID: utf8
                                                                                                                                                                                                                                                                    • API String ID: 943130320-905460609
                                                                                                                                                                                                                                                                    • Opcode ID: 0538c9b2b6f224484a8ed3725939916229ed909f9cf328ea1fb5a7e24fab8620
                                                                                                                                                                                                                                                                    • Instruction ID: 2b51521a82c86f4d33102a74eb109375fe543e83802f8643eb8e1dbfba7e2d3c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0538c9b2b6f224484a8ed3725939916229ed909f9cf328ea1fb5a7e24fab8620
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD51D631A00701AAE725AB78CD46FA673A8FF4DB0AF14442DFD459B181F770E9CC86A1
                                                                                                                                                                                                                                                                    Function 00A4FF48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00A4FE49,?,?,00000000,00000000,00000000,?), ref: 00A4FF6D
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: EncodePointer
                                                                                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                                                                                    • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                                    • Opcode ID: 93d46a732055118f60eded2ba028e7912e7bdc9defaad9a474da4caeef1164fa
                                                                                                                                                                                                                                                                    • Instruction ID: c2375443f456034de4b039590578dda3ca7f6651bd2103dbacc4ea122f9bf5ea
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93d46a732055118f60eded2ba028e7912e7bdc9defaad9a474da4caeef1164fa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1418B36900109AFCF26CF98CD81EEEBBB5FF48302F188069F904A7261D3759994DB51
                                                                                                                                                                                                                                                                    Function 00A4F7B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00A4FA2B
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                                    • Opcode ID: 18e6f2b3bfdc8fedee4f54a00a43cc9cba39ef6e3e8bec84b4cbd4563fd41706
                                                                                                                                                                                                                                                                    • Instruction ID: 7ad743bc135bfba0ae9cb4dcb876f4adc2ff82b464d6527b9a3911a96da4bc67
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18e6f2b3bfdc8fedee4f54a00a43cc9cba39ef6e3e8bec84b4cbd4563fd41706
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2931287E500204DFCF228F50DD549AA7B65FF89399B189179FC484A221D333CCA2DB91
                                                                                                                                                                                                                                                                    Function 00A41F82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A4200A
                                                                                                                                                                                                                                                                    • RaiseException.KERNEL32(?,?,?,?), ref: 00A4202F
                                                                                                                                                                                                                                                                      • Part of subcall function 00A44D23: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A43ADE,?,?,?,?,00A43ADE,00001000,00A6AE2C,00001000), ref: 00A44D84
                                                                                                                                                                                                                                                                      • Part of subcall function 00A4D2B9: IsProcessorFeaturePresent.KERNEL32(00000017,00A47E7B,?,?,?,?,00000000), ref: 00A4D2D5
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 94b5a98fd48bebc4ded66833762bedef99afc882ab8fcef2c480a1dbf3104148
                                                                                                                                                                                                                                                                    • Instruction ID: 8b52766803b7f214687b6831647d6bb447d338b6e13ff3f35928abbfa108e8c9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94b5a98fd48bebc4ded66833762bedef99afc882ab8fcef2c480a1dbf3104148
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8218039D00218ABCF25DFD8D985AAEB7F9BFC4710F54440AF905AB250D770AD85CB91
                                                                                                                                                                                                                                                                    Function 00A360C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00A360DF
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::_Lockit.LIBCPMT ref: 00A3438E
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::~_Lockit.LIBCPMT ref: 00A343B9
                                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00A361AB
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                                    • String ID: Gc
                                                                                                                                                                                                                                                                    • API String ID: 593203224-2895083218
                                                                                                                                                                                                                                                                    • Opcode ID: af089ba70babc2a85caed3bf0080aa966f2fcdedb7402263aa3342c7efbe49fe
                                                                                                                                                                                                                                                                    • Instruction ID: ff94f3b5d9e67090a4355a8b57b79bd0ef57e09ff0e91943d4b4a8b3f6a5162d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: af089ba70babc2a85caed3bf0080aa966f2fcdedb7402263aa3342c7efbe49fe
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C33176B5D042099BCF04EFA8D5855EEBBF0FF48300F50856AE856A7351EB34AA45CF91
                                                                                                                                                                                                                                                                    Function 00A36290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00A362AF
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::_Lockit.LIBCPMT ref: 00A3438E
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::~_Lockit.LIBCPMT ref: 00A343B9
                                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3637B
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                                    • String ID: @Gc
                                                                                                                                                                                                                                                                    • API String ID: 593203224-3831021042
                                                                                                                                                                                                                                                                    • Opcode ID: 1b65c3c3af55b31cd899d1eea9bdfcf0e5b485b224a465c8f2bdafb4e3dcd55b
                                                                                                                                                                                                                                                                    • Instruction ID: b04f8bea0e7f9eea49fe164b3c0b532056d93a6f317415ac3ab7e1a9ea2cafc4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b65c3c3af55b31cd899d1eea9bdfcf0e5b485b224a465c8f2bdafb4e3dcd55b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 803196B9D04209DFCB04EFA8D5955EEBBF0FF48300F104569E856AB251EB34AA85CB91
                                                                                                                                                                                                                                                                    Function 00A47B2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1977563814.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977547867.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977592353.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977610709.0000000000A6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977626482.0000000000A6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977643630.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977660248.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.1977693786.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CommandLine
                                                                                                                                                                                                                                                                    • String ID: %b
                                                                                                                                                                                                                                                                    • API String ID: 3253501508-2944287759
                                                                                                                                                                                                                                                                    • Opcode ID: 1cfb18b74476a6e0190a73338f2c92897aa02519a0e106936744e3fc7caee661
                                                                                                                                                                                                                                                                    • Instruction ID: 34ed515a124785fba36f0126f94ba2cab436ccf964ed4e322b4c0496d7b6d36f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1cfb18b74476a6e0190a73338f2c92897aa02519a0e106936744e3fc7caee661
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6CB0927CD10200CFEB02CFF4B90C4043BB0B22C2423804156D822E2320DBB48083CF42

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:1.4%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                    Signature Coverage:36.2%
                                                                                                                                                                                                                                                                    Total number of Nodes:58
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:4
                                                                                                                                                                                                                                                                    execution_graph 32719 4331a2 32721 4331c2 32719->32721 32722 4331ff 32721->32722 32723 439af0 LdrInitializeThunk 32721->32723 32723->32721 32724 439be8 32725 439c00 32724->32725 32728 439cde 32725->32728 32731 439af0 LdrInitializeThunk 32725->32731 32727 43a082 32728->32727 32732 439af0 LdrInitializeThunk 32728->32732 32730 43a154 32731->32728 32732->32730 32733 439f2d 32734 439f50 32733->32734 32734->32734 32735 439f9e 32734->32735 32737 439af0 LdrInitializeThunk 32734->32737 32737->32735 32679 408690 32682 40869f 32679->32682 32680 40897b ExitProcess 32681 40895f 32681->32680 32682->32680 32682->32681 32684 40c7c0 CoInitializeEx 32682->32684 32738 4380f3 32741 43b250 32738->32741 32740 4380f8 RtlFreeHeap 32742 43b270 32741->32742 32742->32740 32742->32742 32690 43c050 32692 43c070 32690->32692 32691 43c0c8 32693 43c16e 32691->32693 32697 439af0 LdrInitializeThunk 32691->32697 32692->32691 32696 439af0 LdrInitializeThunk 32692->32696 32696->32691 32697->32693 32743 40c7f3 CoInitializeSecurity 32744 4380b0 32745 4380b6 RtlAllocateHeap 32744->32745 32698 40ced4 32699 40ceda CoUninitialize 32698->32699 32700 433f96 32704 43b5e0 32700->32704 32702 433fae GetUserDefaultUILanguage 32703 433fe0 32702->32703 32705 43b610 32704->32705 32705->32705 32746 439ab6 32747 43b250 32746->32747 32748 439abb RtlReAllocateHeap 32747->32748 32749 439ae0 32748->32749 32706 43a55a 32707 43a564 32706->32707 32708 43a63e 32707->32708 32712 439af0 LdrInitializeThunk 32707->32712 32711 439af0 LdrInitializeThunk 32708->32711 32711->32708 32712->32708 32750 439e7d 32752 439e90 32750->32752 32751 439ede 32752->32751 32754 439af0 LdrInitializeThunk 32752->32754 32754->32751 32713 43a01c 32715 43a01e 32713->32715 32714 43a082 32715->32714 32718 439af0 LdrInitializeThunk 32715->32718 32717 43a154 32718->32717

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 00439BE8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 9 439be8-439bfb 10 439c00-439c71 9->10 10->10 11 439c73-439c8f 10->11 12 439c90-439cb5 11->12 12->12 13 439cb7-439cbf 12->13 14 439cc1-439ccf 13->14 15 439cf7-43a029 13->15 17 439cd0-439cd7 14->17 18 43a030-43a055 15->18 19 439ce0-439ce6 17->19 20 439cd9-439cdc 17->20 18->18 21 43a057-43a05f 18->21 19->15 23 439ce8-439cef call 439af0 19->23 20->17 22 439cde 20->22 25 43a065-43a06a 21->25 26 43a11b-43a139 21->26 22->15 27 439cf4 23->27 29 43a070-43a077 25->29 33 43a13e 26->33 27->15 30 43a110-43a116 29->30 31 43a07d-43a080 29->31 34 43a145-43a14f call 439af0 30->34 35 43a118 30->35 31->29 32 43a082 31->32 32->35 33->33 37 43a154-43a17a 34->37 35->26
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID: nq[P$rq[P
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-2909691123
                                                                                                                                                                                                                                                                    • Opcode ID: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
                                                                                                                                                                                                                                                                    • Instruction ID: b607d9503db8f49fc5eb3f4a9d08a94e19dddf56f676e5841e6c9b2ad61a41b1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A451E536E501558FDB18CF28CC815BEB763FBC9310F2A5269D592A7356CB78AC02C798
                                                                                                                                                                                                                                                                    Function 00408690 Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 42 408690-4086a1 call 439470 45 4086a7-4086cf call 407fd0 42->45 46 40897b-408983 ExitProcess 42->46 49 4086d0-40870b 45->49 50 408744-408756 call 432800 49->50 51 40870d-408742 49->51 54 408964-40896b 50->54 55 40875c-408780 50->55 51->49 56 408976 call 439a70 54->56 57 40896d-408973 call 407fe0 54->57 63 408782-408784 55->63 64 408786-408837 55->64 56->46 57->56 63->64 67 408940-408958 call 409b40 64->67 68 40883d-40893e 64->68 67->54 71 40895a call 40c7c0 67->71 68->67 73 40895f call 40b5e0 71->73 73->54
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 0040897D
                                                                                                                                                                                                                                                                      • Part of subcall function 0040C7C0: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C7D3
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExitInitializeProcess
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2609639641-0
                                                                                                                                                                                                                                                                    • Opcode ID: 136d881544a2c7f1eb5d7367689f2f39444c52998d38312927c5dd3fbafc190d
                                                                                                                                                                                                                                                                    • Instruction ID: a3c9cdf773126fedba7df58947f448d54cdc7de01630728f9ef541fa2631cfdd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 136d881544a2c7f1eb5d7367689f2f39444c52998d38312927c5dd3fbafc190d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 39714873F047105BC318EF6DCD4236AB6D6ABC4714F1E813EA899EB3D5E9788C058685
                                                                                                                                                                                                                                                                    Function 00439AF0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 83 439af0-439b22 LdrInitializeThunk
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LdrInitializeThunk.NTDLL(0043BC68,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439B1E
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                    • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                                    • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                                                    Function 0043A55A Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
                                                                                                                                                                                                                                                                    • Instruction ID: 8ca1db712a8936c7bbe518f80726e82080a1a7cbdad8fa7e82843f49716c0d50
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E951F1706502118FDB18CF64C862B7AB7B2FF99314F09916DD0819B3A1E379C811CB89
                                                                                                                                                                                                                                                                    Function 00439F2D Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                    • Opcode ID: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
                                                                                                                                                                                                                                                                    • Instruction ID: 4e15c756d994f331d68d7bacd99d09935940be0335b617cdea25940d6d1f2630
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA21E735A545159BDB14CF54CC42B7EB3B2FB89314F299264E411B72D8D7B9AC02CB88
                                                                                                                                                                                                                                                                    Function 00433F96 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 75 433f96-433fde call 43b5e0 GetUserDefaultUILanguage 78 433fe0-433fe3 75->78 79 434010-434041 78->79 80 433fe5-43400e 78->80 80->78
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetUserDefaultUILanguage.KERNELBASE ref: 00433FB6
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: DefaultLanguageUser
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 95929093-0
                                                                                                                                                                                                                                                                    • Opcode ID: 0c41732d260e835f0839e037d9c9b565d1984ff467e7ab0e3f060bde0e320e6c
                                                                                                                                                                                                                                                                    • Instruction ID: 0d691ce279b3d867aec707fb82a73fbe2ffcd24f6e30827802c13aed013c9372
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c41732d260e835f0839e037d9c9b565d1984ff467e7ab0e3f060bde0e320e6c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D411C435A063848FD715CF79D894B98BFF19F5A300F0980DDD445973A2CA745A44DB22
                                                                                                                                                                                                                                                                    Function 0040C7F3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 81 40c7f3-40c829 CoInitializeSecurity
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C805
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeSecurity
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 640775948-0
                                                                                                                                                                                                                                                                    • Opcode ID: 6caf98efe57d77926b65bd171fa5ce8720511ac1d09b3f293d3c4e00846553f6
                                                                                                                                                                                                                                                                    • Instruction ID: 73a6e0e0cb17ac8e1ad8bfc6b168bf81cb9cfa4d8bb13bcefdbdba2ddf4d7e5a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6caf98efe57d77926b65bd171fa5ce8720511ac1d09b3f293d3c4e00846553f6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9E01735BC424477F6254A08EC1BF8422029382F62F788224B315EE3E8D9A8B101810C
                                                                                                                                                                                                                                                                    Function 0040C7C0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 82 40c7c0-40c7f0 CoInitializeEx
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C7D3
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Initialize
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2538663250-0
                                                                                                                                                                                                                                                                    • Opcode ID: 906862c085472af6925fb785fe073070b852232458ef7b3e4bffec18914561af
                                                                                                                                                                                                                                                                    • Instruction ID: e692f9053c4c1add603173b24aea433b464b5ed94f4af3865707c8e1bcfb8b0d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 906862c085472af6925fb785fe073070b852232458ef7b3e4bffec18914561af
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2D0A731AA01446BD210A79DDC5BF563B6CD70375AF000236F2A3C66E1E9107D14D669
                                                                                                                                                                                                                                                                    Function 00439AB6 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 84 439ab6-439ac8 call 43b250 RtlReAllocateHeap 87 439ae0-439ae2 84->87
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000), ref: 00439AC2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                    • Opcode ID: 6bfb9734ed57ce0f3447567262144bb0c239ecc5af525e294061333a46c12a5e
                                                                                                                                                                                                                                                                    • Instruction ID: 195ea5378b4211f4488e35c1581176f060d5432bd187ca494063fd25216283c4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6bfb9734ed57ce0f3447567262144bb0c239ecc5af525e294061333a46c12a5e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1CB09B3514805067D5142715BC0DF8B6F24DFC5751F1012B7F2015407546655881D59C
                                                                                                                                                                                                                                                                    Function 004380B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 88 4380b0-4380ba RtlAllocateHeap
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 004380BA
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                    • Opcode ID: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
                                                                                                                                                                                                                                                                    • Instruction ID: 619cd3f0a1d579054a44b95f095a6da8aabd5bd483f4f5c16aff5eb9f323e829
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7B00234145515B9E57117115CD5F7F1D6CDF43E9DF600054B208180D146545442D57D
                                                                                                                                                                                                                                                                    Function 004380F3 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 90 4380f3-438105 call 43b250 RtlFreeHeap
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(?,00000000), ref: 004380FE
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3298025750-0
                                                                                                                                                                                                                                                                    • Opcode ID: e1e10fe9efff281f5ff51a9d723dbbd7af2ed098d80cef64a20feb2d9ca161ab
                                                                                                                                                                                                                                                                    • Instruction ID: 7819ff3d06509e8342e432a01b3300ba2fcbd0b48a11999bf07549068c8c729b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e10fe9efff281f5ff51a9d723dbbd7af2ed098d80cef64a20feb2d9ca161ab
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61B01234085010AAD5103B11BC0DFCB7F10EF45311F0140E2B200640B287615841C9CC
                                                                                                                                                                                                                                                                    Function 0040CED4 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Uninitialize
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3861434553-0
                                                                                                                                                                                                                                                                    • Opcode ID: 61f8d39ea1f627d07931ed3ab9af95a03549fc431260801a60737892022ad274
                                                                                                                                                                                                                                                                    • Instruction ID: 1dbf353eca266526058a68a8e56409e57d4dea3e3260d2f3f00eb5ba46366692
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61f8d39ea1f627d07931ed3ab9af95a03549fc431260801a60737892022ad274
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4DC04C396545519FC74C9B74ED6C42937A1EF8A7763045839E843C2771EB206498CA0C

                                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                                    Function 004298A0 Relevance: 12.7, Strings: 10, Instructions: 245COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: NV[K$UAPS$UXWZ$VM$VQlJ$h$mtwz$n$rrip$tYCZ
                                                                                                                                                                                                                                                                    • API String ID: 0-3331790720
                                                                                                                                                                                                                                                                    • Opcode ID: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
                                                                                                                                                                                                                                                                    • Instruction ID: 7741a0428823d80e118f5df9010b1c44a856e0838fbdef6cf153a24b4129b43b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0381E0B150D3E18BE331CF25A0907ABBFE1AB96340F28496DC5DD5B342C7791805CB9A
                                                                                                                                                                                                                                                                    Function 00415CFC Relevance: 11.5, Strings: 9, Instructions: 270COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: C>X0$D$D"A$$J6EH$MN$P&@8$]*N,$^:B<$xYw[
                                                                                                                                                                                                                                                                    • API String ID: 0-3292156457
                                                                                                                                                                                                                                                                    • Opcode ID: c6d5bb265bdb93c89c28a49cddbc124b38db168f9fe5d0d1307b72b25f450001
                                                                                                                                                                                                                                                                    • Instruction ID: ad70754358f75f96f89e5d5f4c9addb1857235af53de9c673c40fbd92a9384dd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c6d5bb265bdb93c89c28a49cddbc124b38db168f9fe5d0d1307b72b25f450001
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43917AB0108340CFD3248F14C4A1BABBBF1FF86359F458A5DE4894F2A1E3798946CB5A
                                                                                                                                                                                                                                                                    Function 00419490 Relevance: 11.4, Strings: 8, Instructions: 1409COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID: DCBA$DCBA$DCBA$[\$5Zl$5Zl$Z\$^P
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-3151724278
                                                                                                                                                                                                                                                                    • Opcode ID: ab693a78d0b19306fe809804e87f005d828ab756b41879f79a1b5e553287b66c
                                                                                                                                                                                                                                                                    • Instruction ID: 30ab7f929d8a07dc3d8873c68d2278d649e136490da9de6a5d43bf32cd8d4692
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab693a78d0b19306fe809804e87f005d828ab756b41879f79a1b5e553287b66c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1892A8316493409BD720CF64C8857AFB7E2FBD5300F18856EE5859B391D3B99C82CB9A
                                                                                                                                                                                                                                                                    Function 00417CE5 Relevance: 8.9, Strings: 7, Instructions: 151COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: L$d"d$$l2r4$m:i<$|&t8$Z\$^P
                                                                                                                                                                                                                                                                    • API String ID: 0-1724584702
                                                                                                                                                                                                                                                                    • Opcode ID: fb70b4c9c05101007d508a61fb3708714a996244607e1c5ef3b49211955d8373
                                                                                                                                                                                                                                                                    • Instruction ID: 2a9502ae1b22e79b802cbd78b7a1b8f54dc075db748f69bc6e5fa1cfc8ef5e0c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fb70b4c9c05101007d508a61fb3708714a996244607e1c5ef3b49211955d8373
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F6134B29093908BD335CF5684923EBBAE2EBD9304F58892DC4CD6B355D7384552CB8B
                                                                                                                                                                                                                                                                    Function 00A55DD3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00A557A4,?,00000000), ref: 00A55E6C
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00A557A4,?,00000000), ref: 00A55E95
                                                                                                                                                                                                                                                                    • GetACP.KERNEL32(?,?,00A557A4,?,00000000), ref: 00A55EAA
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                                    • Opcode ID: a307193462bc4244193a133a713ebb3bfd7243c061d45f13c62c8ac998213738
                                                                                                                                                                                                                                                                    • Instruction ID: 0785ada9b597e0cda458d9bce4fbd320f0c645b81e58fbe083fb8c507006f8cf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a307193462bc4244193a133a713ebb3bfd7243c061d45f13c62c8ac998213738
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79215132E00900AADB25CF74C926A9772B7FF54F66B568424ED0AD7100E732EF49C790
                                                                                                                                                                                                                                                                    Function 00A5566E Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: GetLastError.KERNEL32(00000000,?,00A52A49), ref: 00A50717
                                                                                                                                                                                                                                                                      • Part of subcall function 00A50713: SetLastError.KERNEL32(00000000,?,?,00000028,00A4D2C9), ref: 00A507B9
                                                                                                                                                                                                                                                                    • GetUserDefaultLCID.KERNEL32 ref: 00A55776
                                                                                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 00A557B4
                                                                                                                                                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00A557C7
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00A5580F
                                                                                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00A5582A
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 415426439-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2c316ee1064c36c4f2857a873b73caef2c1b63ba311990348056b9034c0af5e3
                                                                                                                                                                                                                                                                    • Instruction ID: 1f91a7b5769d1c18d2fd89f8a18038650cbd8ba016b0d8a80ede1dc0659cb293
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c316ee1064c36c4f2857a873b73caef2c1b63ba311990348056b9034c0af5e3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1515E71E00A09EFDB10DFB5CD55AAE77B8FF18702F184469ED11EB190E7709A488B61
                                                                                                                                                                                                                                                                    Function 0040E2D5 Relevance: 6.9, Strings: 5, Instructions: 606COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ";G$d<$l$nv$tr
                                                                                                                                                                                                                                                                    • API String ID: 0-995644117
                                                                                                                                                                                                                                                                    • Opcode ID: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
                                                                                                                                                                                                                                                                    • Instruction ID: df48264671a07a49878f384e58ab6bb208ea46f082ef2c8c8ba53de654e0de4f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1612AE7550D3D08BD3328F2688906EBBFE1ABD7304F184A6DD4C95B392C73A5909CB96
                                                                                                                                                                                                                                                                    Function 00A4E930 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                                                                    • Instruction ID: 3cff01f30193feb01c3b31eefbfdb9fc31d7464c4259e360f59f6e3998d8d1fc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A023A75E002199BDF14CFA9D980AAEFBF1FF88314F258269D919E7381D731A941CB90
                                                                                                                                                                                                                                                                    Function 00A44073 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A4407F
                                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00A4414B
                                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A44164
                                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00A4416E
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                                                                                    • Opcode ID: 085a8a0930d8482e3bf9560291706a30b18a17a9ec5da54477d5a1e8c475b7a1
                                                                                                                                                                                                                                                                    • Instruction ID: 7db986a60308338de294d1c46d515e05744759defa0aba995bf2272c2df3741b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 085a8a0930d8482e3bf9560291706a30b18a17a9ec5da54477d5a1e8c475b7a1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F312879D012189BDF20DFA4D9497CDBBB8AF58300F1041AAE50CAB250EBB59B858F45
                                                                                                                                                                                                                                                                    Function 0041D6F0 Relevance: 5.9, Strings: 4, Instructions: 866COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $&=",$)${yrs
                                                                                                                                                                                                                                                                    • API String ID: 0-1254945749
                                                                                                                                                                                                                                                                    • Opcode ID: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
                                                                                                                                                                                                                                                                    • Instruction ID: 81033180e824efb6238312a03b4fd97b2519aaf2c39ab56ec81eecc0e62b379a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB52367590C3908FC725CF25C8807AFBBE1AF96304F08856EE8D55B392D739894ACB56
                                                                                                                                                                                                                                                                    Function 004389F0 Relevance: 5.6, Strings: 4, Instructions: 626COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID: +[J;$DCBA$DCBA$f
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-979426530
                                                                                                                                                                                                                                                                    • Opcode ID: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
                                                                                                                                                                                                                                                                    • Instruction ID: 6e64e34dcd31ac6d1c56d3237c8ca23546036134a602b87600847ab7c5b3d5d6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A912F3716083418BC718CF29C89072BB7E2FBD9314F189A6EF49597391DB79ED018B86
                                                                                                                                                                                                                                                                    Function 00435E40 Relevance: 5.4, Strings: 4, Instructions: 437COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: DCBA$DCBA$DCBA$DCBA
                                                                                                                                                                                                                                                                    • API String ID: 0-1380943437
                                                                                                                                                                                                                                                                    • Opcode ID: 1fad232efbf2104744d23570844e905b283685d5ef7122856a7b502bd80bc565
                                                                                                                                                                                                                                                                    • Instruction ID: db2459913d76577c8d131428bae0f0046f550a55b2fe272ecb3189ba83e80acf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1fad232efbf2104744d23570844e905b283685d5ef7122856a7b502bd80bc565
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AC113316083119BD710DF50C881B2BF7E2EB89714F16A97EE98567382D7799C018BAA
                                                                                                                                                                                                                                                                    Function 0042A03C Relevance: 5.4, Strings: 4, Instructions: 413COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 5+$)'->$Yysw$p.
                                                                                                                                                                                                                                                                    • API String ID: 0-3271381888
                                                                                                                                                                                                                                                                    • Opcode ID: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
                                                                                                                                                                                                                                                                    • Instruction ID: a0bfec2fd4801fa297db708dd0ce194928d6281eb9dfd43985bf1e531d4ceda7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63B1013050C3D18BD7358F3998A17ABBBD19F97314F5888AED5C98B382D779400A8B67
                                                                                                                                                                                                                                                                    Function 00409270 Relevance: 5.4, Strings: 4, Instructions: 375COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ",*"$%!+!$1<7n$jrj-
                                                                                                                                                                                                                                                                    • API String ID: 0-1366688494
                                                                                                                                                                                                                                                                    • Opcode ID: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
                                                                                                                                                                                                                                                                    • Instruction ID: cbffaeedfb35219c005300c1b01725cc43cf78952604f74f2e29baaef4c71618
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73A1E47124C3919AC316CF3994A07ABFFE09F97304F48496DE4D55B382D339890AC7AA
                                                                                                                                                                                                                                                                    Function 0040C830 Relevance: 5.3, Strings: 4, Instructions: 294COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: <=$<=$LGHI$CIE
                                                                                                                                                                                                                                                                    • API String ID: 0-1119745755
                                                                                                                                                                                                                                                                    • Opcode ID: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
                                                                                                                                                                                                                                                                    • Instruction ID: 32d4a041f101078bd4bc94fa57d7e14e415041f5642be7670513e9c8a07ffdec
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D591BCB594E3D08BD3358F2598913DBBBE1EBDA314F184A6DC4C95B382C7394506CB8A
                                                                                                                                                                                                                                                                    Function 0040DCA0 Relevance: 4.1, Strings: 3, Instructions: 314COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 9=$@bq$@bq
                                                                                                                                                                                                                                                                    • API String ID: 0-316456066
                                                                                                                                                                                                                                                                    • Opcode ID: 4b36ef43714d28ad1f96cd5d61569cb86c358b0dad2be6ab9e68dc04d3e0e56c
                                                                                                                                                                                                                                                                    • Instruction ID: 35755ea2fee2548ef166cf2072f2c04e5b5edc333876189fadc4d885ac75e1d3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4b36ef43714d28ad1f96cd5d61569cb86c358b0dad2be6ab9e68dc04d3e0e56c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10918D35A083514BC3249B25C8517EFBBE2EFDA314F08CA3DD4C9A7382DA785805879B
                                                                                                                                                                                                                                                                    Function 0042A80B Relevance: 3.9, Strings: 3, Instructions: 110COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID: <#:Z$DCBA$IO{B
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-3001781657
                                                                                                                                                                                                                                                                    • Opcode ID: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
                                                                                                                                                                                                                                                                    • Instruction ID: e8f0e9b6a8d6456f061768eb9e0068afe562bbdc9d967e798bf7ba60a950b8bf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 133169746083918FD7248B35A861B7BFBE0EF93304F58196CD0CA97293D3354812870E
                                                                                                                                                                                                                                                                    Function 004253A0 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID: 36;$DCBA
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-4072228999
                                                                                                                                                                                                                                                                    • Opcode ID: 846f1ea104b691330629432e4b6e43d1e5b34a174913de7ac9d48f18eb5c0a97
                                                                                                                                                                                                                                                                    • Instruction ID: 9bf3ba9eda82bb025300ab767993d6347617181220c3ac0ccfdd0acfe32fd49b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 846f1ea104b691330629432e4b6e43d1e5b34a174913de7ac9d48f18eb5c0a97
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2717D70B047205BD7149F24EC8273BB3A2EF81318F98943EE58687356E67C9C46835E
                                                                                                                                                                                                                                                                    Function 004221FE Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: DCBA$DCBA
                                                                                                                                                                                                                                                                    • API String ID: 0-1149900676
                                                                                                                                                                                                                                                                    • Opcode ID: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
                                                                                                                                                                                                                                                                    • Instruction ID: c2cd78a5a671f5814b5098cc66df09531db8575d81d7b2bfa9de18193e7548bb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0711D6747083219FD7448F35A61063BB7E0FB9A314F54997DD59593341D2B898128F49
                                                                                                                                                                                                                                                                    Function 00421380 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                                                                                                    • API String ID: 0-113910852
                                                                                                                                                                                                                                                                    • Opcode ID: bb484417d5c24dcc73e98fc77baf26d99336fd5d77112d4898e0e3c2de9af6f1
                                                                                                                                                                                                                                                                    • Instruction ID: 2d693bce10ed5bc3cb733e123271110e610af88e73c885137d41ad325da0423d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb484417d5c24dcc73e98fc77baf26d99336fd5d77112d4898e0e3c2de9af6f1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00C14972A083208BD724DF24D85176BB3E2EFE0354F49452EE8C5973A1EB799D01839A
                                                                                                                                                                                                                                                                    Function 00429070 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                                                                                                    • API String ID: 0-123907689
                                                                                                                                                                                                                                                                    • Opcode ID: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
                                                                                                                                                                                                                                                                    • Instruction ID: ba5bec7ee50c6a9e90924a2fc2af94bf927fb64befec74e61bb5d5638cdde794
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 39C14872B08321ABD714CE25E49076BB7D5AF84314F58892FE89587382DB3CEC45C79A
                                                                                                                                                                                                                                                                    Function 0042A749 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: wH
                                                                                                                                                                                                                                                                    • API String ID: 0-1503671404
                                                                                                                                                                                                                                                                    • Opcode ID: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
                                                                                                                                                                                                                                                                    • Instruction ID: 6938ec21c2c950272ecf71514532c80e00f36c867636421e33f396b57224f4d7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F6A1067190C3E18BD335CF2994603ABBBE1AFD6304F58896ED4C997382D7398905CB96
                                                                                                                                                                                                                                                                    Function 0041CA40 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ~
                                                                                                                                                                                                                                                                    • API String ID: 0-1707062198
                                                                                                                                                                                                                                                                    • Opcode ID: b2bf56c6dda8e436477415f48bc884f7f9252947a21440a050ed132b55a9fa0b
                                                                                                                                                                                                                                                                    • Instruction ID: 20d55060c47421e563f3ea782d842ae176eb6628bfb33178114c4445c7dce7b7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2bf56c6dda8e436477415f48bc884f7f9252947a21440a050ed132b55a9fa0b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7A13A729486214FC711CF28CC817ABBBE1AB95324F19863DE8A997391D738DC46C7C6
                                                                                                                                                                                                                                                                    Function 00418BE7 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: WXY
                                                                                                                                                                                                                                                                    • API String ID: 0-578357071
                                                                                                                                                                                                                                                                    • Opcode ID: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
                                                                                                                                                                                                                                                                    • Instruction ID: 8d25020bddb94e3cdd4bd6562285650216077dcd5e3e3cdbb1f9058a9d2ed0fd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 038104715083218BC724DF28C8906ABB7F2FFD5764F18895EE8C59B764EB349841CB46
                                                                                                                                                                                                                                                                    Function 00438620 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: DCBA
                                                                                                                                                                                                                                                                    • API String ID: 0-2222620526
                                                                                                                                                                                                                                                                    • Opcode ID: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
                                                                                                                                                                                                                                                                    • Instruction ID: 872a48a09982231b8dafbd347f7c63a6ccfc1133244f06d7031620cbbfbec7ca
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73512632A047108BC7209E2C8C8165BF7E2FB8A324F19A67EE89497395DB789C45C7D5
                                                                                                                                                                                                                                                                    Function 00429ECA Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ytyu
                                                                                                                                                                                                                                                                    • API String ID: 0-3122247562
                                                                                                                                                                                                                                                                    • Opcode ID: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
                                                                                                                                                                                                                                                                    • Instruction ID: 12b0de02a6f5ab75272d138379b8755f22481c091a64ef22d8aed6e45f9efa9c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA512B616083D14BD7298F3994A07BBBBD2DFD7304F5885BDC0D69B286CB3841068759
                                                                                                                                                                                                                                                                    Function 0042B0DE Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ytyu
                                                                                                                                                                                                                                                                    • API String ID: 0-3122247562
                                                                                                                                                                                                                                                                    • Opcode ID: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
                                                                                                                                                                                                                                                                    • Instruction ID: 648daf82285625cf77c371538089869eb7515d56c2969b46c42d7a52f9289bc7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27412D6060C3D24BD73A8F2994A47B7BFE1DFA3344F5885AEC0D65B242CB384506C75A
                                                                                                                                                                                                                                                                    Function 00429E89 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ytyu
                                                                                                                                                                                                                                                                    • API String ID: 0-3122247562
                                                                                                                                                                                                                                                                    • Opcode ID: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
                                                                                                                                                                                                                                                                    • Instruction ID: 9f127353f7bba25dfea1de63524ab0f2f798c8a367a6f857e5b761ee54c0f219
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C312A6060C3D24BD73A8F2994647BBBFE1DFA3344F5889AEC0D65B282CB344506C75A
                                                                                                                                                                                                                                                                    Function 0041AC1D Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: !y{{
                                                                                                                                                                                                                                                                    • API String ID: 0-1777749009
                                                                                                                                                                                                                                                                    • Opcode ID: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
                                                                                                                                                                                                                                                                    • Instruction ID: 60daa59d1a784ae211c2b3ef0204a34bfe7960cd735750a74c34f91c64a24c52
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 912199729493508BC7148E29D8503E7FBE1EFD2314F1C84AFE8C5EB301E23988168796
                                                                                                                                                                                                                                                                    Function 00422154 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID: DCBA
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-2222620526
                                                                                                                                                                                                                                                                    • Opcode ID: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
                                                                                                                                                                                                                                                                    • Instruction ID: 58c59863d1f9f3c4caf99bc5159be815190c9076244c5d1684e7e5d48b42dc26
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF210474708212BFE6288B14DD41F3773A1F796324FA0862DE652A62D0D6F49C128B59
                                                                                                                                                                                                                                                                    Function 00426B8E Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: DCBA
                                                                                                                                                                                                                                                                    • API String ID: 0-2222620526
                                                                                                                                                                                                                                                                    • Opcode ID: 4c7d43c54ce5063488470e0d67501b2030e8c17e96c1585fe75e4ae10792527b
                                                                                                                                                                                                                                                                    • Instruction ID: 54541ef06add59dfd3263f9efd68384cd03068db4430ffcf6da8f422e4931867
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c7d43c54ce5063488470e0d67501b2030e8c17e96c1585fe75e4ae10792527b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D01D2303083909BD7249F05D89193FF7A2FBDA718FA5963DD58513622C779AC02878E
                                                                                                                                                                                                                                                                    Function 00421F0E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID: DCBA
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-2222620526
                                                                                                                                                                                                                                                                    • Opcode ID: 60381cf5c24a8d4759631cef9cffb6af330fb3cce93a0978c928fc436f60f342
                                                                                                                                                                                                                                                                    • Instruction ID: 6d182deb88c2c4eb255f3f6f371a54bc81061c6ec6ac901c292e8a6fabbb1aac
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60381cf5c24a8d4759631cef9cffb6af330fb3cce93a0978c928fc436f60f342
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F301D83034C2105FDB548B10D98187B7369EB5A75CF61661DF06623576C3749C078B5D
                                                                                                                                                                                                                                                                    Function 0041B2AA Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $(Ca
                                                                                                                                                                                                                                                                    • API String ID: 0-3651910949
                                                                                                                                                                                                                                                                    • Opcode ID: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
                                                                                                                                                                                                                                                                    • Instruction ID: a54c174fe026b402a79ebbd94ae73bc0dd6676e717bfd306ef8db5c792464231
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C1131301083819BCB199B25C811BBABBE09F97304F18486DF0D2D32E3DB398446C79A
                                                                                                                                                                                                                                                                    Function 00424330 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: DCBA
                                                                                                                                                                                                                                                                    • API String ID: 0-2222620526
                                                                                                                                                                                                                                                                    • Opcode ID: e73a60594a34896f126e9e1d7372bd15978939b8c7b289373e8439afa795e774
                                                                                                                                                                                                                                                                    • Instruction ID: aedfb67314d9ebe2d71852c7ac7ec84794d1d19aed1dc7c2685d9c11a788c456
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e73a60594a34896f126e9e1d7372bd15978939b8c7b289373e8439afa795e774
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7201A1357182109BD7488F64B44043BB3B2EFD6725F95696CE88263211C336ED42CB8D
                                                                                                                                                                                                                                                                    Function 00427D4D Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: DCBA
                                                                                                                                                                                                                                                                    • API String ID: 0-2222620526
                                                                                                                                                                                                                                                                    • Opcode ID: 6c572baec16290f9058c09b241c1d7d46c3f91507620d49c45c0cfc9c7b8572b
                                                                                                                                                                                                                                                                    • Instruction ID: f6be957a4c6912d3bf47c9c5fa08e1818c84933d3de460471f0cc8570821c659
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c572baec16290f9058c09b241c1d7d46c3f91507620d49c45c0cfc9c7b8572b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1018C3870C2009BD7048F10E89143BB7B2EF92718FA5A57DE88627212C774DC028BAE
                                                                                                                                                                                                                                                                    Function 0040CCC5 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: nt
                                                                                                                                                                                                                                                                    • API String ID: 0-3989823987
                                                                                                                                                                                                                                                                    • Opcode ID: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
                                                                                                                                                                                                                                                                    • Instruction ID: 9a8167d43ed3aa6e80a9fffa86108335d32d45ce1e36d09d358efee2e21b3ab1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA114876E163911BE314DB359C916EBB6E29B8A304F28853DD985D3382EA389811874A
                                                                                                                                                                                                                                                                    Function 00421F10 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: DCBA
                                                                                                                                                                                                                                                                    • API String ID: 0-2222620526
                                                                                                                                                                                                                                                                    • Opcode ID: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
                                                                                                                                                                                                                                                                    • Instruction ID: 517883da41b6e9bbcf1a327f50b4d8fcb30acbe5f397202542f823fa7dde89d0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0A73074C3104FD7548B20A19013BB3A1EB6F758F616A6DD0A667666C335C8078F9D
                                                                                                                                                                                                                                                                    Function 00402F40 Relevance: .7, Instructions: 664COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
                                                                                                                                                                                                                                                                    • Instruction ID: 1fdbdd34fcc77c32b79dab7dd7279ebfb464f3e9845fc9dd6af1f60592f44fed
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D52F5715083458FCB15CF28C0906AABFE1BF89315F18867EF89967381D778E949CB89
                                                                                                                                                                                                                                                                    Function 00405940 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                                                                                                                                                                                                    • Instruction ID: 02d2229be3a83fbc5474e3e6ea086dcca113fe43498424369727b2d08b453b9d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30F1BE756087418FD724CF29C88076BBBE2EFD9304F08882DE5D997391E639E944CB96
                                                                                                                                                                                                                                                                    Function 0043C410 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                    • Opcode ID: f123acb0fe50c215e804a0976e2544007b0a44a1c9b3f715882900abfb517b77
                                                                                                                                                                                                                                                                    • Instruction ID: 0cd67a1d4c463cf7bb1a6f2e51dfe691ed7b3697112ccb1748d151158b469d2c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f123acb0fe50c215e804a0976e2544007b0a44a1c9b3f715882900abfb517b77
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A56136356083119BCB149F28C891A7FB3E2FFD9350F15A92DE48597361EB34E851C789
                                                                                                                                                                                                                                                                    Function 00408FE0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
                                                                                                                                                                                                                                                                    • Instruction ID: 14eed3b193b92f7bd7c91c1a12cb5a7423ebfd5753331b59b2878284fe61ec2b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F971053124C3C28AD3119F7984903ABFFE0AFA2304F08597DE4D49B386D7798919D766
                                                                                                                                                                                                                                                                    Function 0042760C Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a2354b7e78736bff6752e317a600d56ae2db8798d09994f5bf9b8b57d6477927
                                                                                                                                                                                                                                                                    • Instruction ID: 14fdeba948a93b3c53f68ce45ab72a6c3727f090b9ad8d9c7f5e46addf120586
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a2354b7e78736bff6752e317a600d56ae2db8798d09994f5bf9b8b57d6477927
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D551BC7420C3118BC714DF24D86266BB7F1EF82724F44991DE4D59B3A1E338D905DB5A
                                                                                                                                                                                                                                                                    Function 00439140 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
                                                                                                                                                                                                                                                                    • Instruction ID: 790f180e8d4a6f5c1ef5855a9cf66029b52f87d90570feadd83e32b30a7b9a35
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8471C77160C3428FD715CF28C49062EBBE2AFC9314F188AAEE8D58B392D675DC41CB56
                                                                                                                                                                                                                                                                    Function 004282E8 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
                                                                                                                                                                                                                                                                    • Instruction ID: 926b0f658338236115fec19bad7f90239f3caae2bc3b57b709916a7c7eb54a4e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4961E0B1A413669FDB44CF68DC82A9ABF30FB06310B1542A9E450AF352C734C442CFD5
                                                                                                                                                                                                                                                                    Function 00414D45 Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                    • Opcode ID: f6a177ef1093b82863d6bdf4325194f686afbf03b595ab962e2a594d60901889
                                                                                                                                                                                                                                                                    • Instruction ID: ffa4024d1fecf6a95fbfc38947bfe75a971755c75a06410646f70d773baaa8df
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6a177ef1093b82863d6bdf4325194f686afbf03b595ab962e2a594d60901889
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F41E1B560C3048FC714EF65E84157BB7E2FBD9304F14957EE19683661DB3898428B8A
                                                                                                                                                                                                                                                                    Function 004029D0 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                                                                                                                                                                                                    • Instruction ID: 9a6b9e8a26fb0f3bc84429a8fb07d45c664269e9ebb10f82827b0a9ce94155c9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1410B32B0827147CB188E2D8D9417ABAD75FC5205F0EC63AFCC5AB7D6D578990097D4
                                                                                                                                                                                                                                                                    Function 0042B771 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
                                                                                                                                                                                                                                                                    • Instruction ID: 5c657de7f26490f95fdc6555e03d0d8e02ef097c67437bfc1f9f76acc00ffa76
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9441AF7094C3D28BC7368F2498207BBBFE4DFA6304F0409ADC5D997242D73945468B9A
                                                                                                                                                                                                                                                                    Function 004153FC Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f5603cbb745550a2514ff01182270a9a8e80b3420d347e984a97f53bf9fbb18c
                                                                                                                                                                                                                                                                    • Instruction ID: 4d9938d5427aa00a19422e960cfa433b480ec0df9e382fbeb79cb8a426852a4d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f5603cbb745550a2514ff01182270a9a8e80b3420d347e984a97f53bf9fbb18c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9131F271A09750CBD7208F14C8952EBB7A6FFC2314F088A1ED0D99B3A4E7388441CB56
                                                                                                                                                                                                                                                                    Function 00414D40 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                    • Opcode ID: 63772adff518944676ac6470e3648175ca610b2eefb1d204d6592b914da60d35
                                                                                                                                                                                                                                                                    • Instruction ID: 2c40c0230266d8b2cfbe3e46dea91ec0ef3861f69abc0ad3f180c9264077abf0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63772adff518944676ac6470e3648175ca610b2eefb1d204d6592b914da60d35
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4731D4B56083088FD314EF64E84167B77E2FBDA305F18947DE18593321E778D842968A
                                                                                                                                                                                                                                                                    Function 004256A0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
                                                                                                                                                                                                                                                                    • Instruction ID: 0cb7e63ae8744aacaefeca5f920cf5fe8da4bed82846817093fb181a9d0cc02d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B412AB2A0C3908BC728CF25881279FBAE2FBC2304F499E6DD4D59B351D73885068B47
                                                                                                                                                                                                                                                                    Function 0043B720 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
                                                                                                                                                                                                                                                                    • Instruction ID: 81e569abe051f961958ec96375d0cfb2aa78fc3b7caf3bd46b5982c106ba7b36
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F62129246086450BC318DE3844A1237B6D6DF9E310F19592ED696DB691EB2CD90187C9
                                                                                                                                                                                                                                                                    Function 00436770 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
                                                                                                                                                                                                                                                                    • Instruction ID: fca41f22eda54ae0133c663ea8b877ba853581e50aeda0c197d52a580c5e259f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00218F3860831B8BCB24DF68C49067EB3F2FF88B84F56D46ED88057224EB389D659715
                                                                                                                                                                                                                                                                    Function 00408A50 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
                                                                                                                                                                                                                                                                    • Instruction ID: 30c4168b9de1aa88309de4f0fa0d616f59544a5b9bd3e046015339af948f82e3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B21A1379A2B284BD3108EA4DCC57913295E795328F3D86B98934AB3D2D97F9D0346D0
                                                                                                                                                                                                                                                                    Function 0043A35B Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
                                                                                                                                                                                                                                                                    • Instruction ID: 319dea69129caf743b3be47d61f7b803c4b4f15ce93bdd553d01b9543d361ed5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4112934691A008FD769CB34DCA0AA737D3E79B310708D43CC082DB319D639D8139654
                                                                                                                                                                                                                                                                    Function 0040C37A Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
                                                                                                                                                                                                                                                                    • Instruction ID: 5f0d0020cb13dd4835fa5de00ff150a82e71919640a4629c9d6ebba50eb82aa9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9221383239C3455FE3289F68ACC179B7693EBC7200F28953CD58597395DAB49401864A
                                                                                                                                                                                                                                                                    Function 00414C4E Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 05138cbabdc80a3af10c228aea33de1959a9dce9bf2d62049151e53430b4be4c
                                                                                                                                                                                                                                                                    • Instruction ID: 2c22502caa2999549552e45288962016bce12bbc1d9e56d541357ed696b52ddd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 05138cbabdc80a3af10c228aea33de1959a9dce9bf2d62049151e53430b4be4c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 671101B560C3049BC304EF24E84196BB7E2FBDA305F14983DE68587321E734EC829A4A
                                                                                                                                                                                                                                                                    Function 00432770 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                    • Instruction ID: e33911fe9070215d35ca5e51225649dc2275d76c858c1e42cbf454372d559ea6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C114C33A081E00EC3168D3C8500566BFA32A97634F1D539AF4B49B3D3D7278D8B9369
                                                                                                                                                                                                                                                                    Function 00428AF0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
                                                                                                                                                                                                                                                                    • Instruction ID: c50ce8cf9c5f9d345d43c63e05a9bff61589088a4a1618f9609e7476a1dc71ea
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF019EF1B0231247D7209E11A4C1B2BB6A86F94748F58443EE80967342DFBEFC05C29A
                                                                                                                                                                                                                                                                    Function 0040C2DA Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
                                                                                                                                                                                                                                                                    • Instruction ID: 48cd2bf5a38dda26d43492ad7cd4619b8b65fe667581452ef5a3b5f5612d356d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B01D27AB582048BE3448F75ACC13BBB792E7C2211F15E03DE48693295DD74E9469609
                                                                                                                                                                                                                                                                    Function 00439DD7 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
                                                                                                                                                                                                                                                                    • Instruction ID: ee3202f4c7b97d86cec6d154009762f68b7b73f0fade54c8394ff9d3109274f1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F01A93BE91B209BC3244FB8DDC226BEBE1EB59315F1D567EC981AB741C15C9C014794
                                                                                                                                                                                                                                                                    Function 0040B215 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 503ff2e71cab218a3968d2c3fb4ca380df2623b62e847c146365de6c103bc151
                                                                                                                                                                                                                                                                    • Instruction ID: f57f4cf8da5334abe639b22c9070b7f824a33ddb09cdb4d81ecdbf7b59264ff9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 503ff2e71cab218a3968d2c3fb4ca380df2623b62e847c146365de6c103bc151
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81D05B76C01601AFC7216F79EC027047DF1FF97345F0920B6901492135FF714150965B
                                                                                                                                                                                                                                                                    Function 00420273 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
                                                                                                                                                                                                                                                                    • Instruction ID: 46708560f6ca2d1dc46b348cf292d49f35cc9a01d59c3a157677fa6b0df29c1c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ECB092A9C0A5118AE1222B123D028AAB0241A13348F182036E80632246AAAAF21A41AF
                                                                                                                                                                                                                                                                    Function 004245DE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6e8ec0da43f4966af9c80c68cfa9382619b99c9117e0d001fc58a2c7e1a0e3d2
                                                                                                                                                                                                                                                                    • Instruction ID: 22b160710237bc1a3139db92fe2d56dc42599ca93603099b58035b78777ca6b4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e8ec0da43f4966af9c80c68cfa9382619b99c9117e0d001fc58a2c7e1a0e3d2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07B011A8E0820082C000AF00A8028BAB2388A0B20AF203030E808B3202EA28F200828F
                                                                                                                                                                                                                                                                    Function 00422F44 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794272369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
                                                                                                                                                                                                                                                                    • Instruction ID: f3676da94ab42f47244ed0b0df57d6e577ccfcf37e1cffb6cabbbc84becdf206
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 55A00228E5C000869A08CF20A9516B1E2B95B6FA02F6134288005B7452D910D900851D
                                                                                                                                                                                                                                                                    Function 00A5EDF2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCPInfo.KERNEL32(00000000,00000000,00000000,7FFFFFFF,?,00A5EDDD,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00A5EE98
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A5EF53
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A5EFE2
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A5F02D
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A5F033
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A5F069
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A5F06F
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A5F07F
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 127012223-0
                                                                                                                                                                                                                                                                    • Opcode ID: 124ad8c9aaef9ad0ab1908463242859732025eac947011b5ad8c068767e7d852
                                                                                                                                                                                                                                                                    • Instruction ID: aa679ff6bb92d3010410c9366f009ed57e596d15e509477c78a26d9907f4d915
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 124ad8c9aaef9ad0ab1908463242859732025eac947011b5ad8c068767e7d852
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9710672900219AFDF24DF64CD42BAE77B9BF49312F290069FD04A7182EB75DE098761
                                                                                                                                                                                                                                                                    Function 00A445A9 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00A445F0
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A4461C
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00A4465B
                                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A44678
                                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A446B7
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A446D4
                                                                                                                                                                                                                                                                    • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A44716
                                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A44739
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2040435927-0
                                                                                                                                                                                                                                                                    • Opcode ID: b4b469b1729a78c73cbd73042c0e545ad09fbd8f17eacaf952ca5e99e5965d33
                                                                                                                                                                                                                                                                    • Instruction ID: bfbf72bcf1626c93fe28a7646ff72a0099cda791ec58ba9858a926af9600761d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4b469b1729a78c73cbd73042c0e545ad09fbd8f17eacaf952ca5e99e5965d33
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7451D27A600206AFEF209FA4CC45FAB7BB9EF89744F254428F915EA190DB70DC118B60
                                                                                                                                                                                                                                                                    Function 00A53332 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _strrchr
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3213747228-0
                                                                                                                                                                                                                                                                    • Opcode ID: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                                                                    • Instruction ID: 552d9ba7ea26705961107acf26209174c3aace67f901099d5cf2c4caa686f57f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92B14773A01255AFDF128F28CC81BAE7BB5FF95792F144155ED05AB382E3709A09C7A0
                                                                                                                                                                                                                                                                    Function 00A45440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00A45477
                                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00A4547F
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00A45508
                                                                                                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00A45533
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00A45588
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 82123d1f18e25221bafdd8c4974108b010c1de40fe650c390865e7b8f1c8dbb9
                                                                                                                                                                                                                                                                    • Instruction ID: 9f34b811560d9d6c58b87d3fbeb3a12939d2c7b743c424a85d01fe9967acce52
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82123d1f18e25221bafdd8c4974108b010c1de40fe650c390865e7b8f1c8dbb9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9941C338E00618ABCF10DF78C884AAE7BB2BF85315F148155E9199B363D771DE46CB91
                                                                                                                                                                                                                                                                    Function 00A513F9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BB40E64E,?,00A51508,00A331F2,?,00000000,?), ref: 00A514BA
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                                    • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                                    • Opcode ID: 932800cf8454b6342aa60b1f670a3476c56af42137391f40d2506a460231b513
                                                                                                                                                                                                                                                                    • Instruction ID: 7cef5a5e9832b03103f06a373e1df1bcaea75cdab42c3b941464c39eddafc0a8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 932800cf8454b6342aa60b1f670a3476c56af42137391f40d2506a460231b513
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D02135B5A01211ABCB21DBA0EC40B7B3778FB52766F261110EC16A72C1E770ED06CA90
                                                                                                                                                                                                                                                                    Function 00A447BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A447C1
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00A447CF
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00A447E0
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                                    • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                                    • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                                    • Opcode ID: 4a974a3197d5b3ed669ebb7e9f9138c852f8b5f9cd5f7a8b8cd02ef5f43dff97
                                                                                                                                                                                                                                                                    • Instruction ID: c7b076add85213c15f5a8e96fe32c4b55a84ed7b88848074eca77ac85c226e7e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a974a3197d5b3ed669ebb7e9f9138c852f8b5f9cd5f7a8b8cd02ef5f43dff97
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2BD09E765652106FD310DBF4BD4D85A3AB4FA156153010956F903E21A4EBF414438E96
                                                                                                                                                                                                                                                                    Function 00A58F96 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 83160cb571c385f238257e1bb1613b96bef03cb9333ebb5f7a1e49d31b8d769d
                                                                                                                                                                                                                                                                    • Instruction ID: cceb23fd5f1c07cfd9a0afbb0bf4c5bb8560fb7e509a482bea9ec71cd962fdb1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83160cb571c385f238257e1bb1613b96bef03cb9333ebb5f7a1e49d31b8d769d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30B10370A04249EFDB05CF98D981BBEBBB1BF4A311F144258ED14AF292C770994ACB60
                                                                                                                                                                                                                                                                    Function 00A4F2AC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00A4F2A3,00A44E61,00A441CC), ref: 00A4F2BA
                                                                                                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A4F2C8
                                                                                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A4F2E1
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,00A4F2A3,00A44E61,00A441CC), ref: 00A4F333
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                    • Opcode ID: 56d3231e75d1137ab319423273c4c753199d7660f2541a788a12143d842bb5fa
                                                                                                                                                                                                                                                                    • Instruction ID: ee9ce2c224c1d263a4266d1f12cc22b2aa832aa5244ff6286bd7f6dde41cf4a5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56d3231e75d1137ab319423273c4c753199d7660f2541a788a12143d842bb5fa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6801FC3A7093115ED614ABF9BC4999B26E5EB91379730133DF920490F1EFD14C029681
                                                                                                                                                                                                                                                                    Function 00A4FB24 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 00A4FC43
                                                                                                                                                                                                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 00A4FEBC
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                                    • Opcode ID: dc054fc3486babc63264fe7a46eeaec2d9de49331d2548e8282c3d1f3178758e
                                                                                                                                                                                                                                                                    • Instruction ID: 0eedfa2ace80a63077027919893a001ca08e34bd9df0ff88e95c66b0e78eeaf7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc054fc3486babc63264fe7a46eeaec2d9de49331d2548e8282c3d1f3178758e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DB18B39D00209EFCF28DFA4C9819AEBBB5FF84315F10516AE800AB216D775DA51CFA1
                                                                                                                                                                                                                                                                    Function 00A4A53C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00A60244,000000FF,?,00A4A5FD,00A4A4E4,?,00A4A699,00000000), ref: 00A4A571
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A4A583
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00A60244,000000FF,?,00A4A5FD,00A4A4E4,?,00A4A699,00000000), ref: 00A4A5A5
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                    • Opcode ID: ca3d58b7eaaeaf3a5cf6e253794c321384b9ccbf257f2ffc447b0d6bad87abd7
                                                                                                                                                                                                                                                                    • Instruction ID: 8bf59f53c9ef0e3c210ad1975933a2b948ec8871c9606ec8a176afc994bfb91d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca3d58b7eaaeaf3a5cf6e253794c321384b9ccbf257f2ffc447b0d6bad87abd7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE01D675A40615BFCB01CF90CC09FAEBBB8FB54B11F000A25F812A22E0DBB49D01CE92
                                                                                                                                                                                                                                                                    Function 00A51BCD Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A51C52
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A51D1B
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A51D82
                                                                                                                                                                                                                                                                      • Part of subcall function 00A504C1: HeapAlloc.KERNEL32(00000000,?,?,?,00A4119F,?,?,00A331F2,00001000,?,00A3313A), ref: 00A504F3
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A51D95
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00A51DA2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1096550386-0
                                                                                                                                                                                                                                                                    • Opcode ID: 778fa82297abf9a1a86f0787f680d84cb5bd42e3a320fbc1f0cf0a47e6b31402
                                                                                                                                                                                                                                                                    • Instruction ID: 5a2877d07170399732e66c7bac28a113fe5517ba65da17151d3fd0614bfa21ab
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 778fa82297abf9a1a86f0787f680d84cb5bd42e3a320fbc1f0cf0a47e6b31402
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B519BB2600206ABEB209FA0CD81FBB7BBAFF84712F190528FD04D6151FA75DD588660
                                                                                                                                                                                                                                                                    Function 00A31870 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CloseFileHandleSize
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3849164406-0
                                                                                                                                                                                                                                                                    • Opcode ID: ea2d9652761a4a2b0dbb152704a2aa717950c4bad43ccbdbb5767276aae9c517
                                                                                                                                                                                                                                                                    • Instruction ID: 7bd169f6b5d4cb7f9e3ca0e0d4bc57365d411132a373c2f555763b09920e3493
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea2d9652761a4a2b0dbb152704a2aa717950c4bad43ccbdbb5767276aae9c517
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1719FB4D04248CFDB10EFA8D599B9DBBF0BF48304F108929E499AB351E774A985CF52
                                                                                                                                                                                                                                                                    Function 00A4388E Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00A438A2
                                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A438C1
                                                                                                                                                                                                                                                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A438EF
                                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A4394A
                                                                                                                                                                                                                                                                    • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00A4386B,?,00000000,?,00A3B20C,?,?,00A3D57E), ref: 00A43961
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 66001078-0
                                                                                                                                                                                                                                                                    • Opcode ID: 56333ff92f8f00a7e55fd11b32a0c411b66959806f2ee36a14933031034d37d8
                                                                                                                                                                                                                                                                    • Instruction ID: 2889062e90774ba868bb5e4948644228a1ae711567b0f38544f355f961ae109e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56333ff92f8f00a7e55fd11b32a0c411b66959806f2ee36a14933031034d37d8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C416D3A500A06DFCF20DF66C4A0A6AF3F5FF89350B504A19E456D7642E7B0EA85CF51
                                                                                                                                                                                                                                                                    Function 00A4184C Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 00A41853
                                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00A4185E
                                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00A418CC
                                                                                                                                                                                                                                                                      • Part of subcall function 00A41755: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A4176D
                                                                                                                                                                                                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00A41879
                                                                                                                                                                                                                                                                    • _Yarn.LIBCPMT ref: 00A4188F
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1088826258-0
                                                                                                                                                                                                                                                                    • Opcode ID: ca87baf080c2a2a9008d786442d09a670e7aa9a0602db38de8d382db2f846bbf
                                                                                                                                                                                                                                                                    • Instruction ID: 1a798f75f78d720afff10420397ec98f16472ab0ff022647f656dd0a4d2bdcd5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca87baf080c2a2a9008d786442d09a670e7aa9a0602db38de8d382db2f846bbf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5018F7DA002109BDB06EFA0D9559BC7BB1BFC4750B144449E812573A1EF74AE83CB82
                                                                                                                                                                                                                                                                    Function 00A5AC01 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A5AC9D,00000000,?,00A6EFA0,?,?,?,00A5ABD4,00000004,InitializeCriticalSectionEx,00A64F0C,00A64F14), ref: 00A5AC0E
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00A5AC9D,00000000,?,00A6EFA0,?,?,?,00A5ABD4,00000004,InitializeCriticalSectionEx,00A64F0C,00A64F14,00000000,?,00A5016C), ref: 00A5AC18
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A5AC40
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                                    • Opcode ID: eedf5758b9630d394642f113282cf633c0322270b587b35efc702bf69e36962f
                                                                                                                                                                                                                                                                    • Instruction ID: f31296c0cc80575e9a721034ad1682637a9fada0975c15316fcc48dff362c058
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eedf5758b9630d394642f113282cf633c0322270b587b35efc702bf69e36962f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92E01A30380204BBEB105FE0ED06B593E69BB30B47F154020FD0DA80E1DBB198558A4A
                                                                                                                                                                                                                                                                    Function 00A58366 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00A583C9
                                                                                                                                                                                                                                                                      • Part of subcall function 00A505D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A51D78,?,00000000,-00000008), ref: 00A50632
                                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A5861B
                                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A58661
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00A58704
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2112829910-0
                                                                                                                                                                                                                                                                    • Opcode ID: b36e401f8945bccc9f41b54ba2bcaa6281459ed0656b128790f493036d087ef0
                                                                                                                                                                                                                                                                    • Instruction ID: a7ec67034dbe69ded71d3823052062053c7e4b14da539d90015da31f54909159
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b36e401f8945bccc9f41b54ba2bcaa6281459ed0656b128790f493036d087ef0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9D17875D00248EFCB15CFE8C9809ADBBB5FF48315F28412AE926FB251DA34A946CF50
                                                                                                                                                                                                                                                                    Function 00A4F84B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AdjustPointer
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1740715915-0
                                                                                                                                                                                                                                                                    • Opcode ID: d8de24fbabdcdaf325f203d723a8c6fe8d1322a2fc65881a599d73685d7c83be
                                                                                                                                                                                                                                                                    • Instruction ID: 36ace4a53328c34d7840eabb81e711c0da630e28db448e282da6bd2bec2c4212
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8de24fbabdcdaf325f203d723a8c6fe8d1322a2fc65881a599d73685d7c83be
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C051D27AA04206AFEB298F14D941BAEB7A4FFC4714F141539E80187692D731ED80CB90
                                                                                                                                                                                                                                                                    Function 00A56192 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00A505D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A51D78,?,00000000,-00000008), ref: 00A50632
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00A561F6
                                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00A561FD
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00A56237
                                                                                                                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00A5623E
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1913693674-0
                                                                                                                                                                                                                                                                    • Opcode ID: 925b1d97b3275137c3e4d9d2823feb5574908d68ccd00feab76ad3bf9f67955b
                                                                                                                                                                                                                                                                    • Instruction ID: 527aaa33230b67e2b79b9201f2a10909bf3399f1d27d47395218da7cbcac2880
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 925b1d97b3275137c3e4d9d2823feb5574908d68ccd00feab76ad3bf9f67955b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4221C871A00605AFDB20EFA1898097EB7B9FF90366B508619FD1997111D730EC04CB50
                                                                                                                                                                                                                                                                    Function 00A472A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6907ab1d8a0dcafe39e3d4aaf0a60ac5986fc746dd80b4dc4fb00ff3f295dac8
                                                                                                                                                                                                                                                                    • Instruction ID: 7474863523899d21516c5b8190b67e2207d6ee3a58e52e37327d8ebf62e1926c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6907ab1d8a0dcafe39e3d4aaf0a60ac5986fc746dd80b4dc4fb00ff3f295dac8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1021A179208245AFDB20EFB58D41D6EB7A9FFC03647118624FD199B251EB70FC009BA0
                                                                                                                                                                                                                                                                    Function 00A57588 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00A57590
                                                                                                                                                                                                                                                                      • Part of subcall function 00A505D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A51D78,?,00000000,-00000008), ref: 00A50632
                                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A575C8
                                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A575E8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 158306478-0
                                                                                                                                                                                                                                                                    • Opcode ID: d3055a0dd48c460c8b5a73a71543aa3765dd65743c771b070ccf6529ee964771
                                                                                                                                                                                                                                                                    • Instruction ID: 74e4283a5a93d52f8033df276eb4479dade25b650e6eced03d6693bf4a590066
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3055a0dd48c460c8b5a73a71543aa3765dd65743c771b070ccf6529ee964771
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E1166F25056157EA711A3B56E8DC7F697CFE5939A7100414FD02F1001FEB4CE0985B5
                                                                                                                                                                                                                                                                    Function 00A4328F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 00A43296
                                                                                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00A432A0
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::_Lockit.LIBCPMT ref: 00A3438E
                                                                                                                                                                                                                                                                      • Part of subcall function 00A34360: std::_Lockit::~_Lockit.LIBCPMT ref: 00A343B9
                                                                                                                                                                                                                                                                    • codecvt.LIBCPMT ref: 00A432DA
                                                                                                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00A43311
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3716348337-0
                                                                                                                                                                                                                                                                    • Opcode ID: ec430a5ad0c6973b16b799b9cfd4374b6a5ed9507fa5afde970550d6773a4738
                                                                                                                                                                                                                                                                    • Instruction ID: 0d572658c69b776425504235605c2c50b540f1a48836b929a56333d030156fb5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec430a5ad0c6973b16b799b9cfd4374b6a5ed9507fa5afde970550d6773a4738
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F01963EA002199BCF05EFA4DA55AEE7771AFD4710F140108F511AB291DFB4AE41CB82
                                                                                                                                                                                                                                                                    Function 00A5F0B0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000), ref: 00A5F0C7
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000,?,?,?,00A5809E,?), ref: 00A5F0D3
                                                                                                                                                                                                                                                                      • Part of subcall function 00A5F124: CloseHandle.KERNEL32(FFFFFFFE,00A5F0E3,?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000,?,?), ref: 00A5F134
                                                                                                                                                                                                                                                                    • ___initconout.LIBCMT ref: 00A5F0E3
                                                                                                                                                                                                                                                                      • Part of subcall function 00A5F105: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A5F0A1,00A5E58C,?,?,00A58758,?,00000000,00000000,?), ref: 00A5F118
                                                                                                                                                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00A5E59F,00000000,00000001,?,?,?,00A58758,?,00000000,00000000,?), ref: 00A5F0F8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2744216297-0
                                                                                                                                                                                                                                                                    • Opcode ID: b5bd96661b2cff762863a868801b86d714051ead3201e1e027054d6fd43d6f07
                                                                                                                                                                                                                                                                    • Instruction ID: 7bed7a3c634f410985eaccd9d12b7f670dc180826ebaff783b13b7c538eb50f7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5bd96661b2cff762863a868801b86d714051ead3201e1e027054d6fd43d6f07
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4F01C3A541515FFCF229FD5DC089893F3AFB197A2B054520FE0896120E7728821AFA1
                                                                                                                                                                                                                                                                    Function 00A44C10 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A44C22
                                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00A44C31
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00A44C3A
                                                                                                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 00A44C47
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                    • Opcode ID: 00f177b5c8437123f272e32d8b9471302001dd3f6fe6dbc94513ca799df84429
                                                                                                                                                                                                                                                                    • Instruction ID: 6e19a935dbfb3df08f05adede136c2d40f2d53bc3c341e1fff7723d991ff0745
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 00f177b5c8437123f272e32d8b9471302001dd3f6fe6dbc94513ca799df84429
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40F05F74D1020DEBCB00EBF4D94999EBBF4EF2C204B918996E412F7110E774AA459F51
                                                                                                                                                                                                                                                                    Function 00A37D50 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _strcspn
                                                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                                                    • API String ID: 3709121408-2766056989
                                                                                                                                                                                                                                                                    • Opcode ID: 1c506f6c3314efb8cd8df2cc48390a0e44147f98d640dfa9e1dc0b78d44b36a4
                                                                                                                                                                                                                                                                    • Instruction ID: fead2febba97c2dc573c8d96e5571cbed81c7c36dc7c6e29d90f02e2e90c3794
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c506f6c3314efb8cd8df2cc48390a0e44147f98d640dfa9e1dc0b78d44b36a4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8732C4B59042698FCB24DF64C981ADEFBF1BF49300F0585AAE849A7301D734AE85CF91
                                                                                                                                                                                                                                                                    Function 00A4FF48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00A4FE49,?,?,00000000,00000000,00000000,?), ref: 00A4FF6D
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: EncodePointer
                                                                                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                                                                                    • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                                    • Opcode ID: 93d46a732055118f60eded2ba028e7912e7bdc9defaad9a474da4caeef1164fa
                                                                                                                                                                                                                                                                    • Instruction ID: c2375443f456034de4b039590578dda3ca7f6651bd2103dbacc4ea122f9bf5ea
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93d46a732055118f60eded2ba028e7912e7bdc9defaad9a474da4caeef1164fa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1418B36900109AFCF26CF98CD81EEEBBB5FF48302F188069F904A7261D3759994DB51
                                                                                                                                                                                                                                                                    Function 00A4F7B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00A4FA2B
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                                    • Opcode ID: 18e6f2b3bfdc8fedee4f54a00a43cc9cba39ef6e3e8bec84b4cbd4563fd41706
                                                                                                                                                                                                                                                                    • Instruction ID: 7ad743bc135bfba0ae9cb4dcb876f4adc2ff82b464d6527b9a3911a96da4bc67
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18e6f2b3bfdc8fedee4f54a00a43cc9cba39ef6e3e8bec84b4cbd4563fd41706
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2931287E500204DFCF228F50DD549AA7B65FF89399B189179FC484A221D333CCA2DB91
                                                                                                                                                                                                                                                                    Function 00A41F82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00A4200A
                                                                                                                                                                                                                                                                    • RaiseException.KERNEL32(?,?,?,?), ref: 00A4202F
                                                                                                                                                                                                                                                                      • Part of subcall function 00A44D23: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A43ADE,?,?,?,?,00A43ADE,00001000,00A6AE2C,00001000), ref: 00A44D84
                                                                                                                                                                                                                                                                      • Part of subcall function 00A4D2B9: IsProcessorFeaturePresent.KERNEL32(00000017,00A47E7B,?,?,?,?,00000000), ref: 00A4D2D5
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1794351695.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794336896.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794375222.0000000000A61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794392957.0000000000A6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794408547.0000000000A71000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794422910.0000000000A74000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000002.00000002.1794454294.0000000000ABC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_a30000_Neverlose.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 94b5a98fd48bebc4ded66833762bedef99afc882ab8fcef2c480a1dbf3104148
                                                                                                                                                                                                                                                                    • Instruction ID: 8b52766803b7f214687b6831647d6bb447d338b6e13ff3f35928abbfa108e8c9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94b5a98fd48bebc4ded66833762bedef99afc882ab8fcef2c480a1dbf3104148
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8218039D00218ABCF25DFD8D985AAEB7F9BFC4710F54440AF905AB250D770AD85CB91