Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GLD6WIS3RXG4KKYJLK.exe

Overview

General Information

Sample name:GLD6WIS3RXG4KKYJLK.exe
Analysis ID:1580731
MD5:2a2989ed741c431f4a3276264f7bdb61
SHA1:f73d27c971d440346bbc18358ffd1a860f08180f
SHA256:8ef59a69e6ce81623cf61eb466321ddb66a978a7f9a808947be9ac8fe869550f
Tags:exeuser-aachum
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected UAC Bypass using CMSTP
Found direct / indirect Syscall (likely to bypass EDR)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GLD6WIS3RXG4KKYJLK.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" MD5: 2A2989ED741C431F4A3276264F7BDB61)
    • GLD6WIS3RXG4KKYJLK.tmp (PID: 7448 cmdline: "C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$20470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" MD5: A62041070E18901131CBBE7825EC4EC7)
      • GLD6WIS3RXG4KKYJLK.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTART MD5: 2A2989ED741C431F4A3276264F7BDB61)
        • GLD6WIS3RXG4KKYJLK.tmp (PID: 7552 cmdline: "C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$30470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTART MD5: A62041070E18901131CBBE7825EC4EC7)
          • timeout.exe (PID: 7580 cmdline: "timeout" 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)
            • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7684 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 7732 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 7740 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 7780 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 7828 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 7836 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 7872 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 7916 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 7924 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 7960 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 8012 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 8020 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 8056 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 8112 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 8120 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 8164 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 7220 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 7232 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • IUService.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe" MD5: 0588CE0C39DA3283E779C1D5B21D283B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\UltraMedia\is-810FK.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        0000001F.00000002.1860058588.000000000933B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          Process Memory Space: IUService.exe PID: 5544JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            31.2.IUService.exe.50000000.7.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              31.2.IUService.exe.9341b29.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                31.2.IUService.exe.9341b29.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x13396c:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x133bf8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1339f7:$s1: CoGetObject
                • 0x133c83:$s1: CoGetObject
                • 0x133950:$s2: Elevation:Administrator!new:
                • 0x133bdc:$s2: Elevation:Administrator!new:
                31.2.IUService.exe.9386bf6.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  31.2.IUService.exe.9386bf6.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0xee89f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0xeeb2b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0xee92a:$s1: CoGetObject
                  • 0xeebb6:$s1: CoGetObject
                  • 0xee883:$s2: Elevation:Administrator!new:
                  • 0xeeb0f:$s2: Elevation:Administrator!new:
                  Click to see the 2 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 31.2.IUService.exe.9341b29.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 31.2.IUService.exe.9386bf6.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 31.2.IUService.exe.93877f6.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001F.00000002.1860058588.000000000933B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: wntdll.pdbUGP source: IUService.exe, 0000001F.00000002.1873540961.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, IUService.exe, 0000001F.00000002.1875847714.0000000009D70000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: IUService.exe, 0000001F.00000002.1873540961.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, IUService.exe, 0000001F.00000002.1875847714.0000000009D70000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5001C0CC @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,@Sysutils@FindClose$qqrr19Sysutils@TSearchRec,GetLastError,31_2_5001C0CC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000C390 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,31_2_5000C390
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5001BB34 FindFirstFileW,FindClose,@System@Move$qqrpxvpvi,31_2_5001BB34
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5001BD10 @System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,31_2_5001BD10
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: GLD6WIS3RXG4KKYJLK.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.exe, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, IUService.exe, 0000001F.00000002.1883968108.0000000059801000.00000020.00000001.01000000.0000000B.sdmp, is-FSK8O.tmp.3.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: IUService.exe, 0000001F.00000002.1860058588.00000000092E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                  Source: GLD6WIS3RXG4KKYJLK.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1662958471.0000000002F8F000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1665230045.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000001.00000000.1666668371.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000000.1688591390.000000000052D000.00000020.00000001.01000000.00000008.sdmp, GLD6WIS3RXG4KKYJLK.tmp.0.dr, GLD6WIS3RXG4KKYJLK.tmp.2.drString found in binary or memory: https://www.innosetup.com/
                  Source: GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1662958471.0000000002F8F000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1665230045.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000001.00000000.1666668371.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000000.1688591390.000000000052D000.00000020.00000001.01000000.00000008.sdmp, GLD6WIS3RXG4KKYJLK.tmp.0.dr, GLD6WIS3RXG4KKYJLK.tmp.2.drString found in binary or memory: https://www.remobjects.com/ps
                  Source: Yara matchFile source: Process Memory Space: IUService.exe PID: 5544, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 31.2.IUService.exe.9341b29.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 31.2.IUService.exe.9386bf6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 31.2.IUService.exe.93877f6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F00431_2_5000F004
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F00C31_2_5000F00C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F01431_2_5000F014
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F01C31_2_5000F01C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F29C31_2_5000F29C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2A431_2_5000F2A4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2AC31_2_5000F2AC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2B431_2_5000F2B4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2BC31_2_5000F2BC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2C431_2_5000F2C4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2CC31_2_5000F2CC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2D431_2_5000F2D4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2DC31_2_5000F2DC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2E431_2_5000F2E4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2EC31_2_5000F2EC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2F431_2_5000F2F4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F2FC31_2_5000F2FC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F30431_2_5000F304
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F30C31_2_5000F30C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F31431_2_5000F314
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F31C31_2_5000F31C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F32431_2_5000F324
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F32C31_2_5000F32C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F33431_2_5000F334
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F33C31_2_5000F33C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F34431_2_5000F344
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F34C31_2_5000F34C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F35431_2_5000F354
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F35C31_2_5000F35C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F36431_2_5000F364
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F36C31_2_5000F36C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F37431_2_5000F374
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F37C31_2_5000F37C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F38431_2_5000F384
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F38C31_2_5000F38C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F39431_2_5000F394
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F39C31_2_5000F39C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3A431_2_5000F3A4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3AC31_2_5000F3AC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3B431_2_5000F3B4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3BC31_2_5000F3BC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3C431_2_5000F3C4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3CC31_2_5000F3CC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3D431_2_5000F3D4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3DC31_2_5000F3DC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3E431_2_5000F3E4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3EC31_2_5000F3EC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3F431_2_5000F3F4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F3FC31_2_5000F3FC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F40431_2_5000F404
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F40C31_2_5000F40C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F41431_2_5000F414
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F41C31_2_5000F41C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F42431_2_5000F424
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F42C31_2_5000F42C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F43431_2_5000F434
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F43C31_2_5000F43C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F44431_2_5000F444
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F49C31_2_5000F49C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4A431_2_5000F4A4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4AC31_2_5000F4AC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4B431_2_5000F4B4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4BC31_2_5000F4BC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4C431_2_5000F4C4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4CC31_2_5000F4CC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4D431_2_5000F4D4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4DC31_2_5000F4DC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000B70031_2_5000B700
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCAC31_2_5000DCAC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCB431_2_5000DCB4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCBC31_2_5000DCBC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCC431_2_5000DCC4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCCC31_2_5000DCCC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCD431_2_5000DCD4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCDC31_2_5000DCDC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCE431_2_5000DCE4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCEC31_2_5000DCEC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCF431_2_5000DCF4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DCFC31_2_5000DCFC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD0431_2_5000DD04
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD0C31_2_5000DD0C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD1431_2_5000DD14
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD1C31_2_5000DD1C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD2431_2_5000DD24
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD2C31_2_5000DD2C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD3431_2_5000DD34
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD3C31_2_5000DD3C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED4431_2_5000ED44
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD4431_2_5000DD44
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED4C31_2_5000ED4C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD4C31_2_5000DD4C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED5431_2_5000ED54
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD5431_2_5000DD54
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED5C31_2_5000ED5C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD5C31_2_5000DD5C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED6431_2_5000ED64
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD6431_2_5000DD64
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED6C31_2_5000ED6C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD6C31_2_5000DD6C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED7431_2_5000ED74
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD7431_2_5000DD74
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED7C31_2_5000ED7C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD7C31_2_5000DD7C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED8431_2_5000ED84
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD8431_2_5000DD84
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED8C31_2_5000ED8C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD8C31_2_5000DD8C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED9431_2_5000ED94
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD9431_2_5000DD94
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000ED9C31_2_5000ED9C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DD9C31_2_5000DD9C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDA431_2_5000EDA4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDA431_2_5000DDA4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDAC31_2_5000EDAC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDAC31_2_5000DDAC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDB431_2_5000EDB4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDB431_2_5000DDB4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDBC31_2_5000EDBC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDBC31_2_5000DDBC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDC431_2_5000EDC4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDC431_2_5000DDC4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDCC31_2_5000EDCC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDCC31_2_5000DDCC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDD431_2_5000DDD4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDD431_2_5000EDD4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDDC31_2_5000DDDC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDDC31_2_5000EDDC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDE431_2_5000DDE4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDE431_2_5000EDE4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDEC31_2_5000DDEC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDEC31_2_5000EDEC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDF431_2_5000DDF4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDF431_2_5000EDF4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DDFC31_2_5000DDFC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EDFC31_2_5000EDFC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE0431_2_5000DE04
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE0431_2_5000EE04
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE0C31_2_5000DE0C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE0C31_2_5000EE0C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE1431_2_5000DE14
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE1431_2_5000EE14
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE1C31_2_5000DE1C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE1C31_2_5000EE1C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE2431_2_5000DE24
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE2431_2_5000EE24
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE2C31_2_5000DE2C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE2C31_2_5000EE2C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE3431_2_5000DE34
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE3431_2_5000EE34
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE3C31_2_5000DE3C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE3C31_2_5000EE3C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE4431_2_5000DE44
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE4431_2_5000EE44
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE4C31_2_5000DE4C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE4C31_2_5000EE4C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DE5431_2_5000DE54
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE5431_2_5000EE54
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE5C31_2_5000EE5C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE6431_2_5000EE64
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE6C31_2_5000EE6C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE7431_2_5000EE74
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE7C31_2_5000EE7C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE8431_2_5000EE84
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE8C31_2_5000EE8C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE9431_2_5000EE94
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EE9C31_2_5000EE9C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEA431_2_5000EEA4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEAC31_2_5000EEAC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DEAC31_2_5000DEAC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DEB431_2_5000DEB4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEB431_2_5000EEB4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DEBC31_2_5000DEBC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEBC31_2_5000EEBC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DEC431_2_5000DEC4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEC431_2_5000EEC4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DECC31_2_5000DECC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EECC31_2_5000EECC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EED431_2_5000EED4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DED431_2_5000DED4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEDC31_2_5000EEDC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DEDC31_2_5000DEDC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DEE431_2_5000DEE4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEE431_2_5000EEE4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000DEEC31_2_5000DEEC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEEC31_2_5000EEEC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEF431_2_5000EEF4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_50002EFC31_2_50002EFC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EEFC31_2_5000EEFC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF0431_2_5000EF04
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF0C31_2_5000EF0C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF1431_2_5000EF14
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF1C31_2_5000EF1C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF2431_2_5000EF24
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF2C31_2_5000EF2C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF3431_2_5000EF34
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF3C31_2_5000EF3C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF4431_2_5000EF44
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF4C31_2_5000EF4C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF5431_2_5000EF54
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF5C31_2_5000EF5C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF6431_2_5000EF64
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF6C31_2_5000EF6C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF7431_2_5000EF74
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF7C31_2_5000EF7C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF8431_2_5000EF84
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF8C31_2_5000EF8C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF9431_2_5000EF94
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EF9C31_2_5000EF9C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFA431_2_5000EFA4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFAC31_2_5000EFAC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFB431_2_5000EFB4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFBC31_2_5000EFBC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFC431_2_5000EFC4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFCC31_2_5000EFCC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFD431_2_5000EFD4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFDC31_2_5000EFDC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFE431_2_5000EFE4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFEC31_2_5000EFEC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFF431_2_5000EFF4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000EFFC31_2_5000EFFC
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: invalid certificate
                  Source: GLD6WIS3RXG4KKYJLK.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: GLD6WIS3RXG4KKYJLK.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: GLD6WIS3RXG4KKYJLK.tmp.0.drStatic PE information: Number of sections : 11 > 10
                  Source: GLD6WIS3RXG4KKYJLK.tmp.2.drStatic PE information: Number of sections : 11 > 10
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: Number of sections : 11 > 10
                  Source: GLD6WIS3RXG4KKYJLK.exe, 00000000.00000000.1659507164.0000000000E29000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameum_player.exe vs GLD6WIS3RXG4KKYJLK.exe
                  Source: GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1662958471.000000000328E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameum_player.exe vs GLD6WIS3RXG4KKYJLK.exe
                  Source: GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1665230045.000000007F8CA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameum_player.exe vs GLD6WIS3RXG4KKYJLK.exe
                  Source: GLD6WIS3RXG4KKYJLK.exeBinary or memory string: OriginalFileNameum_player.exe vs GLD6WIS3RXG4KKYJLK.exe
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 31.2.IUService.exe.9341b29.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 31.2.IUService.exe.9386bf6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 31.2.IUService.exe.93877f6.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: classification engineClassification label: mal68.expl.evad.winEXE@54/20@0/0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5001D4C4 GetDiskFreeSpaceW,@System@@_llmul$qqrv,@System@@_llmul$qqrv,31_2_5001D4C4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000C2EC GetModuleFileNameW,@System@LoadResourceModule$qqrpbo,31_2_5000C2EC
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMediaJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeFile created: C:\Users\user\AppData\Local\Temp\is-MMN17.tmpJump to behavior
                  Source: Yara matchFile source: 31.2.IUService.exe.50000000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\UltraMedia\is-810FK.tmp, type: DROPPED
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
                  Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                  Source: GLD6WIS3RXG4KKYJLK.exeString found in binary or memory: /LOADINF="filename"
                  Source: GLD6WIS3RXG4KKYJLK.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeFile read: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe "C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe"
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp "C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$20470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe "C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTART
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp "C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$30470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTART
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\timeout.exe "timeout" 9
                  Source: C:\Windows\System32\timeout.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avastui.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe "C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe"
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp "C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$20470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe "C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTARTJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp "C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$30470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTARTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\timeout.exe "timeout" 9 Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe "C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avastui.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: oledlg.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpWindow found: window name: TMainFormJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic file information: File size 8371434 > 1048576
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: wntdll.pdbUGP source: IUService.exe, 0000001F.00000002.1873540961.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, IUService.exe, 0000001F.00000002.1875847714.0000000009D70000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: IUService.exe, 0000001F.00000002.1873540961.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, IUService.exe, 0000001F.00000002.1875847714.0000000009D70000.00000004.00000800.00020000.00000000.sdmp
                  Source: GLD6WIS3RXG4KKYJLK.tmp.0.drStatic PE information: real checksum: 0x33908a should be: 0x33ab8c
                  Source: is-QOM3R.tmp.3.drStatic PE information: real checksum: 0x3ca18 should be: 0x33f43
                  Source: GLD6WIS3RXG4KKYJLK.tmp.2.drStatic PE information: real checksum: 0x33908a should be: 0x33ab8c
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: real checksum: 0x61312b should be: 0x807c92
                  Source: GLD6WIS3RXG4KKYJLK.exeStatic PE information: section name: .didata
                  Source: GLD6WIS3RXG4KKYJLK.tmp.0.drStatic PE information: section name: .didata
                  Source: GLD6WIS3RXG4KKYJLK.tmp.2.drStatic PE information: section name: .didata
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_50012004 push 50012030h; ret 31_2_50012028
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F22C push eax; retn 00FEh31_2_5000F230
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F234 push eax; ret 31_2_5000F238
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F26C push eax; retf 00FEh31_2_5000F270
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F274 push eax; retf 31_2_5000F278
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F294 push eax; iretd 31_2_5000F298
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_500153A4 push 500153D0h; ret 31_2_500153C8
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F49C push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4A4 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4AC push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4B4 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4BC push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4C4 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4CC push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4D4 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4DC push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4E4 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4EC push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4F4 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F4FC push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F504 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F50C push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F514 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F51C push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F524 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F52C push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F534 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F53C push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F544 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F54C push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F554 push 5000F5F8h; ret 31_2_5000F5F0
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HL5QL.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeFile created: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\is-810FK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\is-IKU5B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\rtl120.bpl (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\maddisAsm_.bpl (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\is-QOM3R.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\madbasic_.bpl (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\is-MSN9K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4TMCA.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\madexcept_.bpl (copy)Jump to dropped file
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeFile created: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\is-33F93.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\is-FSK8O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpFile created: C:\Users\user\AppData\Roaming\UltraMedia\vcl120.bpl (copy)Jump to dropped file
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeAPI/Special instruction interceptor: Address: 6BC77C44
                  Tries to detect virtualization through RDTSC time measurements
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeRDTSC instruction interceptor: First address: 6BC7F3E1 second address: 6BC7F3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeRDTSC instruction interceptor: First address: 6BC7F3FD second address: 6BC7F3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007FE85C7DD535h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007FE85C7DD5C0h 0x00000031 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HL5QL.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\UltraMedia\is-810FK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\UltraMedia\is-QOM3R.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\UltraMedia\is-MSN9K.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4TMCA.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\UltraMedia\is-33F93.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\UltraMedia\is-FSK8O.tmpJump to dropped file
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5001C0CC @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,@Sysutils@FindClose$qqrr19Sysutils@TSearchRec,GetLastError,31_2_5001C0CC
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000C390 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,31_2_5000C390
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5001BB34 FindFirstFileW,FindClose,@System@Move$qqrpxvpvi,31_2_5001BB34
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5001BD10 @System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,31_2_5001BD10
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000001.00000002.1686497365.000000000135E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\6'V
                  Source: GLD6WIS3RXG4KKYJLK.tmp, 00000001.00000002.1686497365.000000000135E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeNtQuerySystemInformation: Direct from: 0x57007C8BJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe "C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTARTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmpProcess created: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe "C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avastui.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: @System@LoadResourceModule$qqrpbo,GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,31_2_5000C58C
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: @Sysutils@GetLocaleStr$qqriix20System@UnicodeString,GetLocaleInfoW,@System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,31_2_50025B78
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: @Sysutils@GetLocaleChar$qqriib,GetLocaleInfoW,31_2_50025BC4
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_50022830 @Sysutils@CurrentYear$qqrv,GetLocalTime,31_2_50022830
                  Source: find.exe, 00000015.00000002.1804084567.0000024DE3B4B000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000015.00000002.1804362126.0000024DE3E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgui.exe
                  Source: C:\Users\user\AppData\Roaming\UltraMedia\IUService.exeCode function: 31_2_5000F05C @Rtlconsts@_sCannotListenOnOpen,@Rtlconsts@_sCannotCreateSocket,@Rtlconsts@_sSocketAlreadyOpen,@Rtlconsts@_sCantChangeWhileActive,@Rtlconsts@_sSocketMustBeBlocking,@Rtlconsts@_sSocketIOError,31_2_5000F05C

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts1
                  Abuse Elevation Control Mechanism                  		11
                  Process Injection                  		LSASS Memory211
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager2
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS2
                  System Owner/User Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets2
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials214
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580731 Sample: GLD6WIS3RXG4KKYJLK.exe Startdate: 25/12/2024 Architecture: WINDOWS Score: 68 63 Malicious sample detected (through community Yara rule) 2->63 65 Yara detected UAC Bypass using CMSTP 2->65 10 GLD6WIS3RXG4KKYJLK.exe 2 2->10         started        process3 file4 59 C:\Users\user\...behaviorgraphLD6WIS3RXG4KKYJLK.tmp, PE32 10->59 dropped 13 GLD6WIS3RXG4KKYJLK.tmp 3 4 10->13         started        process5 file6 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->61 dropped 16 GLD6WIS3RXG4KKYJLK.exe 2 13->16         started        process7 file8 49 C:\Users\user\...behaviorgraphLD6WIS3RXG4KKYJLK.tmp, PE32 16->49 dropped 19 GLD6WIS3RXG4KKYJLK.tmp 5 13 16->19         started        process9 file10 51 C:\Users\user\...\IUService.exe (copy), PE32 19->51 dropped 53 C:\Users\user\AppData\...\vcl120.bpl (copy), PE32 19->53 dropped 55 C:\Users\user\AppData\...\rtl120.bpl (copy), PE32 19->55 dropped 57 10 other files (none is malicious) 19->57 dropped 22 IUService.exe 19->22         started        25 cmd.exe 1 19->25         started        27 cmd.exe 1 19->27         started        29 5 other processes 19->29 process11 signatures12 67 Tries to detect virtualization through RDTSC time measurements 22->67 69 Switches to a custom stack to bypass stack traces 22->69 71 Found direct / indirect Syscall (likely to bypass EDR) 22->71 31 conhost.exe 25->31         started        33 tasklist.exe 1 25->33         started        35 find.exe 1 25->35         started        37 conhost.exe 27->37         started        45 2 other processes 27->45 39 conhost.exe 29->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        47 10 other processes 29->47 process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  GLD6WIS3RXG4KKYJLK.exe6%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\is-4TMCA.tmp\_isetup\_setup64.tmp0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\is-4TMCA.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp0%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\is-HL5QL.tmp\_isetup\_setup64.tmp0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\is-HL5QL.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp0%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe (copy)0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\is-33F93.tmp0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\is-810FK.tmp0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\is-FSK8O.tmp0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\is-IKU5B.tmp0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\is-MSN9K.tmp0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\maddisAsm_.bpl (copy)0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\madexcept_.bpl (copy)0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\rtl120.bpl (copy)0%ReversingLabs
                  C:\Users\user\AppData\Roaming\UltraMedia\vcl120.bpl (copy)0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tGLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drfalse
                    		high
                    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUGLD6WIS3RXG4KKYJLK.exefalse
                      		high
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sGLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drfalse
                        		high
                        https://sectigo.com/CPS0GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drfalse
                          		high
                          http://ocsp.sectigo.com0GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drfalse
                            		high
                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drfalse
                              		high
                              https://www.remobjects.com/psGLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1662958471.0000000002F8F000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1665230045.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000001.00000000.1666668371.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000000.1688591390.000000000052D000.00000020.00000001.01000000.00000008.sdmp, GLD6WIS3RXG4KKYJLK.tmp.0.dr, GLD6WIS3RXG4KKYJLK.tmp.2.drfalse
                                		high
                                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000002.1846688774.000000000018D000.00000004.00000010.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, is-810FK.tmp.3.dr, is-FSK8O.tmp.3.drfalse
                                  		high
                                  https://www.innosetup.com/GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1662958471.0000000002F8F000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.exe, 00000000.00000003.1665230045.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000001.00000000.1666668371.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000000.1688591390.000000000052D000.00000020.00000001.01000000.00000008.sdmp, GLD6WIS3RXG4KKYJLK.tmp.0.dr, GLD6WIS3RXG4KKYJLK.tmp.2.drfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/envelope/GLD6WIS3RXG4KKYJLK.tmp, 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, IUService.exe, 0000001F.00000002.1883968108.0000000059801000.00000020.00000001.01000000.0000000B.sdmp, is-FSK8O.tmp.3.drfalse
                                      		high
                                      http://www.info-zip.org/IUService.exe, 0000001F.00000002.1860058588.00000000092E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        No contacted IP infos

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1580731
                                        Start date and time:2024-12-25 21:53:07 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 17s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:34
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:GLD6WIS3RXG4KKYJLK.exe
                                        Detection:MAL
                                        Classification:mal68.expl.evad.winEXE@54/20@0/0
                                        EGA Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 430
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 20.109.210.53, 52.149.20.212, 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target IUService.exe, PID 5544 because there are no executed function
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Local\Temp\is-4TMCA.tmp\_isetup\_setup64.tmp#U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
                                          #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exeGet hashmaliciousUnknownBrowse
                                            yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                                              yvaKqhmD4L.exeGet hashmaliciousUnknownBrowse
                                                #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
                                                  #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                                                    #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                                                      #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                                        #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                                          #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\is-4TMCA.tmp\_isetup\_setup64.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):6144
                                                            Entropy (8bit):4.720366600008286
                                                            Encrypted:false
                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Joe Sandbox View:
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_2.1.0.exe, Detection: malicious, Browse
                                                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                                            • Filename: yvaKqhmD4L.exe, Detection: malicious, Browse
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):3367424
                                                            Entropy (8bit):6.53001282597034
                                                            Encrypted:false
                                                            SSDEEP:98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
                                                            MD5:A62041070E18901131CBBE7825EC4EC7
                                                            SHA1:67DB71F5A885B1E417B1272218E6B814C45A6C93
                                                            SHA-256:E25EF8AA3AB40EE6950DACC4CCD9EDD1EBE973D45109F6EEF34F7F49E26A2E27
                                                            SHA-512:AE560D59071F8E2D484E5607E6A3C6CAC52F011A6CB3F16B5EECB767F555D10A480AF32FE0BEB0DC6FF4B6BEC99B536AEBA58AD6697DAB72AAF60BD46F3BFC83
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

                                                            C:\Users\user\AppData\Local\Temp\is-HL5QL.tmp\_isetup\_setup64.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):6144
                                                            Entropy (8bit):4.720366600008286
                                                            Encrypted:false
                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):3367424
                                                            Entropy (8bit):6.53001282597034
                                                            Encrypted:false
                                                            SSDEEP:98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
                                                            MD5:A62041070E18901131CBBE7825EC4EC7
                                                            SHA1:67DB71F5A885B1E417B1272218E6B814C45A6C93
                                                            SHA-256:E25EF8AA3AB40EE6950DACC4CCD9EDD1EBE973D45109F6EEF34F7F49E26A2E27
                                                            SHA-512:AE560D59071F8E2D484E5607E6A3C6CAC52F011A6CB3F16B5EECB767F555D10A480AF32FE0BEB0DC6FF4B6BEC99B536AEBA58AD6697DAB72AAF60BD46F3BFC83
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):167432
                                                            Entropy (8bit):6.360991599728718
                                                            Encrypted:false
                                                            SSDEEP:3072:yK2FRsfrS8Ywp3GKJ7hDD/vRvDTX8QlevsqYau7j7/EecxurY:x1TSG/XT5Fau7pXk
                                                            MD5:0588CE0C39DA3283E779C1D5B21D283B
                                                            SHA1:1F264A47972D63DB2CDE18DC8311BC46551380EB
                                                            SHA-256:D5A6714AB95CAA92EF1A712465A44C1827122B971BDB28FFA33221E07651D6F7
                                                            SHA-512:A5F97AC156D081CB4D9B3F32948EEA387725C88AF0F19E8BC8DB2058A19E211648B7FD86708FF5E1DB8F7B57CA3AB8EDEBA771C9D684C53BCB228CA71ADAB02A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....(e.....................f....................@..................................5...........@..............................0b...................B...L..............................................................8............................text...4........................... ..`.itext..4........................... ..`.data...............................@....bss.....................................idata..0b.......d..................@....reloc...............B..............@..B.rsrc................T..............@..@....................................@..@................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\chamberpot.mov (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):57648
                                                            Entropy (8bit):4.550992233527233
                                                            Encrypted:false
                                                            SSDEEP:768:x2wABEZ6oIUJ/dJzXo6oB2FWNveOo6kzk1/+jjHC4jDXz6O5jE5BkkV1JDp0msak:EwABEZfID72OYzSuNjDj2BkkV3pgGyt
                                                            MD5:C0CAF225931CFA74230FBD256997CF4C
                                                            SHA1:7436A37776AE636208B3880BB4B1408ABB3A92BA
                                                            SHA-256:B631E0F6F5C45F9F7680CF91136F2C79A533D18875CEDF5E2E968A168AD5422D
                                                            SHA-512:42DFA23E076ECBF555B9EAC74C00DC89EB5EC600FEE192BA1BDE8215A6E7FD65B6C017ED3AD4375E714B18D6AE03FFE3A5732370658B8DA0F27E4E868168AE96
                                                            Malicious:false
                                                            Preview:x.O.P..\...E.Q`N.H...]W.r..R..ajm....AVI.f.f..]]..oo..HMEE][.BT..G_..J.fs.GJ[M.....xZ.^..p..G_...TY.....N.jKM.V.b.SquofmV..[EZ[JJ..........l.dkBH.._..g....k..MlA....n.CsSi.f..t.f.A.x..B..B...igq..k.....E..Lr..^.....vd...Hj.L..x....\j.Gd..\Mk.RlJ.gdCo`c..W.xc.....[qF...F..L.H..Rqr.lp^.xMpPe.G...].DtY.kjs..krWTE.Eti.rF.].^..Oe...X.Y].xgot.K.T.S..ygj....[v`.]P.`Ns..L.^..Dx..d...jWS....P.R..mJ...`XbYhEnT..x....EK..LL.Sl.IEA.....JWIeJEen...c.g.\.w..]]E..BwsVdhm...k...U.......Wpo.c...N..oj....^.SsD]P......b..aDF..f`.fB.\......AN.lQ..Vy.Jl`ZWh.v...EvPC...P...PWn..B..`.EV.....N.R.\..S.F..Kj.b.rmp..i..`Mfl`k..R.ij.RAw.C..a.Y.Nrowx...U...YM..h.F.m.lJ....M.kC.f__y.LF.E........p.BlgKGD...kl..._.._d..ve..b.R.VL.d.[.t..n.MZ^..un.....K....V..H.[...qi..P..Oj...wdyR.Z.KN...Y..V..E..jA.Yi.bl.j...ktp.....HD.E.Ivv......n.uIChd.........CB...A....KA.....LB.UnlWek..j.iR.S......`D.Z...D..t.Q.VVoI..l...GZd..F^.ClV.B.U.f.h.IW.C..LVWJD.Iwy...g.Fo..krjK..ulpTnCX^.xb.lm.G.Bm.....]p[wxDG..nks.X..e.rdo..TceD........

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-32EAB.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6557262
                                                            Entropy (8bit):7.976170515806142
                                                            Encrypted:false
                                                            SSDEEP:98304:hjt9oE685wwEVri3xKkTNU7O22do+wn/W2MFXxL8meovJoWl6R7RIoiaTqfNnObu:J3o5VQ5COXdodn/+XhvvJoHZOFZVaV0
                                                            MD5:88E1EDD6CE0B044711CE803670E81C74
                                                            SHA1:1F19D8EA4EDED28E92454C833BD284F6BCB5279B
                                                            SHA-256:F7C7472065564F2C81168AB687FCBB59A3E8C8E16E826C3772911D17D86F8CB9
                                                            SHA-512:A1D06669DA35BF6075E142A9BD0CBEF7435DA5CAA48921A48AE30D3C84C8D4CFF4C52851B1C8F3E3C40B1C41932E3A6F043632BBEB4667847EFF5675EF9B751A
                                                            Malicious:false
                                                            Preview:..C...h.NL.o.MbR..FkCAO...c.q.AC.b...c.Zx..c...wn....y.M_XW....ah.g`..E...imvQ..ByhV^e.fR.G....n..U.ECN....T.fqX.smX.dl.WG..X.V.W.qn.......L.bEVn.jp..K.C....TmH.CUJ...AVe...d.M`..f.wh.D.S.HvO...Ra..f...Eq.k.b..O.V...dsgyI...eMCG..._v.W.A...ZLym.....Zk.hJN....Kux.D..hl..B.aQk...R.X..ml....ZMB.\Q.q...Dxf.k.X...D`.TLlMa..lc.ytP.TJF..K\SaE.K\WY.G....`.f.w..Ck..x..ij.g.y.f...Mplo.upssO.FVs....v.w..\Zr.]x..K..g.....K.H.XY.p...p.gV.F.H.M...^.anm..w.[n..Iu.jxj.JA.r...td..NU.r..nh.e..SSM^bGa.c[P..i.p.WgdXt.KF..Xt.vAAs..o.nO.U..E.ks.ii..l..x.L...jsVM.s.....q.B.p.D...^YG.RO...j..P...BJ.roZ.`j....tP.Q...UWt.S.M\.]A.pFJ.JB.a.u.G.WW..w[......r.hGwT.JHt..aYqS..l.C..M..O.R....i..Ad..Ui..TeDB^...tW...D.[..G\CD.ZWMQ][.yKVd...F._..jn.KIc..L...rho...xJ.[.....u..w..Q.VH.g.X^vg.iS_.IN.a.aU.q..Tq..N...M..A......e....\NS`Fk.....K.Wxs..K.TD..THm...Kc.r....b..Zg..b..jWD.g..I.bIU...j.....qHm.g.qyL.....A.IH.Lc.eOo.OSN.Tl..uL....q.\....e..CG.KmU...h.yo.xy.M.w.fc..]...G...\..Gqa.a.s.dP.V..g_...M_.g..QIh_.V.XLDxQa..

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-33F93.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2015240
                                                            Entropy (8bit):6.681879780616523
                                                            Encrypted:false
                                                            SSDEEP:24576:v2gt8PRUMggrgN/5tWw+eNVEXZB5SOCwhuuYY8RPyS9YEPI5yz6W:vRSf0Ww+NpPSyzYY8c8YEPI4+W
                                                            MD5:9A438A75E68E88CDABC13074A17F8A52
                                                            SHA1:97C94801D37D249ECE7BA9ACA05703303FD9CF06
                                                            SHA-256:CCCCADDE7393F1B624CDE32B38274E60BBE65B1769D614D129BABDAEEF9A6715
                                                            SHA-512:19D260505972B96C2E5AE0058A29F61E606E276779A80732DBEE70F9223DBFF51DCB1F5E4EFF19206C300EE08E6060987171F5B83AD87FDD8F797E0E2DB529FC
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H.....................l............... .....P.................................8...............................P...'...`.......................t...L.......^.............."....................................y...............................text...4........................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P.......*...................idata.......`.......*..............@....edata...'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-810FK.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1114632
                                                            Entropy (8bit):6.835959006752849
                                                            Encrypted:false
                                                            SSDEEP:24576:0bhz5FWbA1msvIRzM7Rk5JZzSQ4+Is2D9Tx0gbo9:b2hTKgbo9
                                                            MD5:E71E48E31AC728A6DE7C020645F0C32F
                                                            SHA1:7F86EADD1B7A0AB87B7CE7C2029BDEF3D6FE1D8D
                                                            SHA-256:40A1D1A2F276738F568700DDCCAC99CDCD35B973FC8BE86AB826C0D1ABC9D6FF
                                                            SHA-512:5E41DBE7EFAC8A042A14C2F976D1AFCD45E3F7531FB60DAAB61AC17FFD339D34E1C6746FCE9E4B591B026598A89E38F36C6D24E33E2DE0B39D81806259F9BE2A
                                                            Malicious:false
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\UltraMedia\is-810FK.tmp, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H...........................................P.........................`.................................................X$...p...................L..............................................................x............................text.............................. ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@.......(...................idata..X$.......&...(..............@....edata...............N..............@..@.rdata...............0..............@..@.reloc...............2..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-FSK8O.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):448520
                                                            Entropy (8bit):6.746694731944354
                                                            Encrypted:false
                                                            SSDEEP:6144:XlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2lZ:XlG4ut30F8slzYlQcW/jd++2nJ6u2lZ
                                                            MD5:562EC96D0F65B0309AD7508D0E0CED11
                                                            SHA1:0FE9DDA664F4F8D9AE18603C5A25756710032A6F
                                                            SHA-256:FB64A5954B726D2D0F0BC26113A36DC8A86C469AF994CEEAF2E2609743A0A557
                                                            SHA-512:876B82534764B2D156CE64D52771D38F245D330957287773F6B2360F48564B8D4A304449FA6F6400052165AAF433A191AF2D3B38B194A9B1E892552DC0805FBA
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y.................................l...................................O......._......D<...............L...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-IKU5B.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):167432
                                                            Entropy (8bit):6.360991599728718
                                                            Encrypted:false
                                                            SSDEEP:3072:yK2FRsfrS8Ywp3GKJ7hDD/vRvDTX8QlevsqYau7j7/EecxurY:x1TSG/XT5Fau7pXk
                                                            MD5:0588CE0C39DA3283E779C1D5B21D283B
                                                            SHA1:1F264A47972D63DB2CDE18DC8311BC46551380EB
                                                            SHA-256:D5A6714AB95CAA92EF1A712465A44C1827122B971BDB28FFA33221E07651D6F7
                                                            SHA-512:A5F97AC156D081CB4D9B3F32948EEA387725C88AF0F19E8BC8DB2058A19E211648B7FD86708FF5E1DB8F7B57CA3AB8EDEBA771C9D684C53BCB228CA71ADAB02A
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....(e.....................f....................@..................................5...........@..............................0b...................B...L..............................................................8............................text...4........................... ..`.itext..4........................... ..`.data...............................@....bss.....................................idata..0b.......d..................@....reloc...............B..............@..B.rsrc................T..............@..@....................................@..@................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-MSN9K.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):66056
                                                            Entropy (8bit):6.89541527402873
                                                            Encrypted:false
                                                            SSDEEP:1536:eNy3eqMne0sXB0IWtCLwEJhY0w1FwbiD7wlwei7:CqMnfIB04LwEJhY0w1UTnE
                                                            MD5:11EFAB4068CB4058207959E2638C2C1A
                                                            SHA1:B1EAC0879DCDA14BDC0C2EFD7F261D7C175208C3
                                                            SHA-256:11E3568F497C40331EE4A9E9973967E61B224E19204E09ED7451DA3B74BD2FF5
                                                            SHA-512:CED6167612674232429C25E52BA051994B09FDAEAF3316505904456EF8D7063F2EB03B5A158F0A424F0ECB49673E6A3D6B57D61183C5F8402DA3FE53AF0BD185
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... ......|>..................................&.......d........................L......T...............#....................................................................text...4w.......x.................. ..`.itext..<............|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-N5BB9.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):57648
                                                            Entropy (8bit):4.550992233527233
                                                            Encrypted:false
                                                            SSDEEP:768:x2wABEZ6oIUJ/dJzXo6oB2FWNveOo6kzk1/+jjHC4jDXz6O5jE5BkkV1JDp0msak:EwABEZfID72OYzSuNjDj2BkkV3pgGyt
                                                            MD5:C0CAF225931CFA74230FBD256997CF4C
                                                            SHA1:7436A37776AE636208B3880BB4B1408ABB3A92BA
                                                            SHA-256:B631E0F6F5C45F9F7680CF91136F2C79A533D18875CEDF5E2E968A168AD5422D
                                                            SHA-512:42DFA23E076ECBF555B9EAC74C00DC89EB5EC600FEE192BA1BDE8215A6E7FD65B6C017ED3AD4375E714B18D6AE03FFE3A5732370658B8DA0F27E4E868168AE96
                                                            Malicious:false
                                                            Preview:x.O.P..\...E.Q`N.H...]W.r..R..ajm....AVI.f.f..]]..oo..HMEE][.BT..G_..J.fs.GJ[M.....xZ.^..p..G_...TY.....N.jKM.V.b.SquofmV..[EZ[JJ..........l.dkBH.._..g....k..MlA....n.CsSi.f..t.f.A.x..B..B...igq..k.....E..Lr..^.....vd...Hj.L..x....\j.Gd..\Mk.RlJ.gdCo`c..W.xc.....[qF...F..L.H..Rqr.lp^.xMpPe.G...].DtY.kjs..krWTE.Eti.rF.].^..Oe...X.Y].xgot.K.T.S..ygj....[v`.]P.`Ns..L.^..Dx..d...jWS....P.R..mJ...`XbYhEnT..x....EK..LL.Sl.IEA.....JWIeJEen...c.g.\.w..]]E..BwsVdhm...k...U.......Wpo.c...N..oj....^.SsD]P......b..aDF..f`.fB.\......AN.lQ..Vy.Jl`ZWh.v...EvPC...P...PWn..B..`.EV.....N.R.\..S.F..Kj.b.rmp..i..`Mfl`k..R.ij.RAw.C..a.Y.Nrowx...U...YM..h.F.m.lJ....M.kC.f__y.LF.E........p.BlgKGD...kl..._.._d..ve..b.R.VL.d.[.t..n.MZ^..un.....K....V..H.[...qi..P..Oj...wdyR.Z.KN...Y..V..E..jA.Yi.bl.j...ktp.....HD.E.Ivv......n.uIChd.........CB...A....KA.....LB.UnlWek..j.iR.S......`D.Z...D..t.Q.VVoI..l...GZd..F^.ClV.B.U.f.h.IW.C..LVWJD.Iwy...g.Fo..krjK..ulpTnCX^.xb.lm.G.Bm.....]p[wxDG..nks.X..e.rdo..TceD........

                                                            C:\Users\user\AppData\Roaming\UltraMedia\is-QOM3R.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):197632
                                                            Entropy (8bit):6.7840768813314964
                                                            Encrypted:false
                                                            SSDEEP:6144:yN/kGQxE6qeM/k4qTl5L5e5+53WCG1CnTeFmf:VqeM/k4qR5L5e5+53WKiE
                                                            MD5:09C311CE669A6BBD40B4D27FBB6F249E
                                                            SHA1:7714EB60EFE0C0ACE52681B11AC4EE80488BB796
                                                            SHA-256:AD9B4441C680A9691259668A0685429CBFDA55D4C19DB8230C52283EEB752743
                                                            SHA-512:19825B164A64754778C2A83463164BD533B68A77CA62CB271074E92D7ED759657CDC12187EC1DBEF700143765FE74ADCABAB5D1BCE5C3211B470246689DFF73A
                                                            Malicious:false
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W.................................................................0...d......`(......x.......................................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\madbasic_.bpl (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):197632
                                                            Entropy (8bit):6.7840768813314964
                                                            Encrypted:false
                                                            SSDEEP:6144:yN/kGQxE6qeM/k4qTl5L5e5+53WCG1CnTeFmf:VqeM/k4qR5L5e5+53WKiE
                                                            MD5:09C311CE669A6BBD40B4D27FBB6F249E
                                                            SHA1:7714EB60EFE0C0ACE52681B11AC4EE80488BB796
                                                            SHA-256:AD9B4441C680A9691259668A0685429CBFDA55D4C19DB8230C52283EEB752743
                                                            SHA-512:19825B164A64754778C2A83463164BD533B68A77CA62CB271074E92D7ED759657CDC12187EC1DBEF700143765FE74ADCABAB5D1BCE5C3211B470246689DFF73A
                                                            Malicious:false
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W.................................................................0...d......`(......x.......................................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\maddisAsm_.bpl (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):66056
                                                            Entropy (8bit):6.89541527402873
                                                            Encrypted:false
                                                            SSDEEP:1536:eNy3eqMne0sXB0IWtCLwEJhY0w1FwbiD7wlwei7:CqMnfIB04LwEJhY0w1UTnE
                                                            MD5:11EFAB4068CB4058207959E2638C2C1A
                                                            SHA1:B1EAC0879DCDA14BDC0C2EFD7F261D7C175208C3
                                                            SHA-256:11E3568F497C40331EE4A9E9973967E61B224E19204E09ED7451DA3B74BD2FF5
                                                            SHA-512:CED6167612674232429C25E52BA051994B09FDAEAF3316505904456EF8D7063F2EB03B5A158F0A424F0ECB49673E6A3D6B57D61183C5F8402DA3FE53AF0BD185
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... ......|>..................................&.......d........................L......T...............#....................................................................text...4w.......x.................. ..`.itext..<............|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\madexcept_.bpl (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):448520
                                                            Entropy (8bit):6.746694731944354
                                                            Encrypted:false
                                                            SSDEEP:6144:XlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2lZ:XlG4ut30F8slzYlQcW/jd++2nJ6u2lZ
                                                            MD5:562EC96D0F65B0309AD7508D0E0CED11
                                                            SHA1:0FE9DDA664F4F8D9AE18603C5A25756710032A6F
                                                            SHA-256:FB64A5954B726D2D0F0BC26113A36DC8A86C469AF994CEEAF2E2609743A0A557
                                                            SHA-512:876B82534764B2D156CE64D52771D38F245D330957287773F6B2360F48564B8D4A304449FA6F6400052165AAF433A191AF2D3B38B194A9B1E892552DC0805FBA
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y.................................l...................................O......._......D<...............L...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\rtl120.bpl (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1114632
                                                            Entropy (8bit):6.835959006752849
                                                            Encrypted:false
                                                            SSDEEP:24576:0bhz5FWbA1msvIRzM7Rk5JZzSQ4+Is2D9Tx0gbo9:b2hTKgbo9
                                                            MD5:E71E48E31AC728A6DE7C020645F0C32F
                                                            SHA1:7F86EADD1B7A0AB87B7CE7C2029BDEF3D6FE1D8D
                                                            SHA-256:40A1D1A2F276738F568700DDCCAC99CDCD35B973FC8BE86AB826C0D1ABC9D6FF
                                                            SHA-512:5E41DBE7EFAC8A042A14C2F976D1AFCD45E3F7531FB60DAAB61AC17FFD339D34E1C6746FCE9E4B591B026598A89E38F36C6D24E33E2DE0B39D81806259F9BE2A
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H...........................................P.........................`.................................................X$...p...................L..............................................................x............................text.............................. ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@.......(...................idata..X$.......&...(..............@....edata...............N..............@..@.rdata...............0..............@..@.reloc...............2..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

                                                            C:\Users\user\AppData\Roaming\UltraMedia\sputnik.bmp (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6557262
                                                            Entropy (8bit):7.976170515806142
                                                            Encrypted:false
                                                            SSDEEP:98304:hjt9oE685wwEVri3xKkTNU7O22do+wn/W2MFXxL8meovJoWl6R7RIoiaTqfNnObu:J3o5VQ5COXdodn/+XhvvJoHZOFZVaV0
                                                            MD5:88E1EDD6CE0B044711CE803670E81C74
                                                            SHA1:1F19D8EA4EDED28E92454C833BD284F6BCB5279B
                                                            SHA-256:F7C7472065564F2C81168AB687FCBB59A3E8C8E16E826C3772911D17D86F8CB9
                                                            SHA-512:A1D06669DA35BF6075E142A9BD0CBEF7435DA5CAA48921A48AE30D3C84C8D4CFF4C52851B1C8F3E3C40B1C41932E3A6F043632BBEB4667847EFF5675EF9B751A
                                                            Malicious:false
                                                            Preview:..C...h.NL.o.MbR..FkCAO...c.q.AC.b...c.Zx..c...wn....y.M_XW....ah.g`..E...imvQ..ByhV^e.fR.G....n..U.ECN....T.fqX.smX.dl.WG..X.V.W.qn.......L.bEVn.jp..K.C....TmH.CUJ...AVe...d.M`..f.wh.D.S.HvO...Ra..f...Eq.k.b..O.V...dsgyI...eMCG..._v.W.A...ZLym.....Zk.hJN....Kux.D..hl..B.aQk...R.X..ml....ZMB.\Q.q...Dxf.k.X...D`.TLlMa..lc.ytP.TJF..K\SaE.K\WY.G....`.f.w..Ck..x..ij.g.y.f...Mplo.upssO.FVs....v.w..\Zr.]x..K..g.....K.H.XY.p...p.gV.F.H.M...^.anm..w.[n..Iu.jxj.JA.r...td..NU.r..nh.e..SSM^bGa.c[P..i.p.WgdXt.KF..Xt.vAAs..o.nO.U..E.ks.ii..l..x.L...jsVM.s.....q.B.p.D...^YG.RO...j..P...BJ.roZ.`j....tP.Q...UWt.S.M\.]A.pFJ.JB.a.u.G.WW..w[......r.hGwT.JHt..aYqS..l.C..M..O.R....i..Ad..Ui..TeDB^...tW...D.[..G\CD.ZWMQ][.yKVd...F._..jn.KIc..L...rho...xJ.[.....u..w..Q.VH.g.X^vg.iS_.IN.a.aU.q..Tq..N...M..A......e....\NS`Fk.....K.Wxs..K.TD..THm...Kc.r....b..Zg..b..jWD.g..I.bIU...j.....qHm.g.qyL.....A.IH.Lc.eOo.OSN.Tl..uL....q.\....e..CG.KmU...h.yo.xy.M.w.fc..]...G...\..Gqa.a.s.dP.V..g_...M_.g..QIh_.V.XLDxQa..

                                                            C:\Users\user\AppData\Roaming\UltraMedia\vcl120.bpl (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2015240
                                                            Entropy (8bit):6.681879780616523
                                                            Encrypted:false
                                                            SSDEEP:24576:v2gt8PRUMggrgN/5tWw+eNVEXZB5SOCwhuuYY8RPyS9YEPI5yz6W:vRSf0Ww+NpPSyzYY8c8YEPI4+W
                                                            MD5:9A438A75E68E88CDABC13074A17F8A52
                                                            SHA1:97C94801D37D249ECE7BA9ACA05703303FD9CF06
                                                            SHA-256:CCCCADDE7393F1B624CDE32B38274E60BBE65B1769D614D129BABDAEEF9A6715
                                                            SHA-512:19D260505972B96C2E5AE0058A29F61E606E276779A80732DBEE70F9223DBFF51DCB1F5E4EFF19206C300EE08E6060987171F5B83AD87FDD8F797E0E2DB529FC
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H.....................l............... .....P.................................8...............................P...'...`.......................t...L.......^.............."....................................y...............................text...4........................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P.......*...................idata.......`.......*..............@....edata...'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.957206291621346
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 98.04%
                                                            • Inno Setup installer (109748/4) 1.08%
                                                            • InstallShield setup (43055/19) 0.42%
                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                            File name:GLD6WIS3RXG4KKYJLK.exe
                                                            File size:8'371'434 bytes
                                                            MD5:2a2989ed741c431f4a3276264f7bdb61
                                                            SHA1:f73d27c971d440346bbc18358ffd1a860f08180f
                                                            SHA256:8ef59a69e6ce81623cf61eb466321ddb66a978a7f9a808947be9ac8fe869550f
                                                            SHA512:a2c53d6785fc543dc9a72eb29ff0c9da88df0ebf705a5da9bbdf444a969c233176a540b67396840e59a48e846cefa6db1237c87cc5139d94e68718d09be85eec
                                                            SSDEEP:196608:ZBi8NN9RmN2Psr6jaPVLOTCDIdtBXJNDi+:ZQ8NN9LFjaPVa+UXJv
                                                            TLSH:F7862213F2CBE13DE05E0B3B45B2A55454FB6A616522AEA2C7ECB4ECCE350601D3E647
                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                            File Icon

                                                            Icon Hash:0c0c2d33ceec80aa

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4a83bc
                                                            Entrypoint Section:.itext
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:1
                                                            File Version Major:6
                                                            File Version Minor:1
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:1
                                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 21/11/2011 19:00:00 21/11/2014 18:59:59
                                                            Subject Chain
                                                            • CN="inKline Global, Inc.", O="inKline Global, Inc.", STREET=711 S. Carson Street, L=Carson City, S=NV, PostalCode=89701, C=US
                                                            Version:3
                                                            Thumbprint MD5:D285B633483980369D2C1A2DD2294628
                                                            Thumbprint SHA-1:8B878CEDDD6B6AD7C75F9B526AF7B2CD81EAF2A7
                                                            Thumbprint SHA-256:AB9F0007F8A69E88E1425508D7DE5D6C08AB88FD26A7488CB948A7C92B779FDC
                                                            Serial:288508E9790128CFE47B87E51BE9AB65

                                                            Entrypoint Preview

                                                            Instruction
                                                            push ebp
                                                            mov ebp, esp
                                                            add esp, FFFFFFA4h
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            xor eax, eax
                                                            mov dword ptr [ebp-3Ch], eax
                                                            mov dword ptr [ebp-40h], eax
                                                            mov dword ptr [ebp-5Ch], eax
                                                            mov dword ptr [ebp-30h], eax
                                                            mov dword ptr [ebp-38h], eax
                                                            mov dword ptr [ebp-34h], eax
                                                            mov dword ptr [ebp-2Ch], eax
                                                            mov dword ptr [ebp-28h], eax
                                                            mov dword ptr [ebp-14h], eax
                                                            mov eax, 004A2EBCh
                                                            call 00007FE85CCCBFF5h
                                                            xor eax, eax
                                                            push ebp
                                                            push 004A8AC1h
                                                            push dword ptr fs:[eax]
                                                            mov dword ptr fs:[eax], esp
                                                            xor edx, edx
                                                            push ebp
                                                            push 004A8A7Bh
                                                            push dword ptr fs:[edx]
                                                            mov dword ptr fs:[edx], esp
                                                            mov eax, dword ptr [004B0634h]
                                                            call 00007FE85CD5D97Bh
                                                            call 00007FE85CD5D4CEh
                                                            lea edx, dword ptr [ebp-14h]
                                                            xor eax, eax
                                                            call 00007FE85CD581A8h
                                                            mov edx, dword ptr [ebp-14h]
                                                            mov eax, 004B41F4h
                                                            call 00007FE85CCC60A3h
                                                            push 00000002h
                                                            push 00000000h
                                                            push 00000001h
                                                            mov ecx, dword ptr [004B41F4h]
                                                            mov dl, 01h
                                                            mov eax, dword ptr [0049CD14h]
                                                            call 00007FE85CD594D3h
                                                            mov dword ptr [004B41F8h], eax
                                                            xor edx, edx
                                                            push ebp
                                                            push 004A8A27h
                                                            push dword ptr fs:[edx]
                                                            mov dword ptr fs:[edx], esp
                                                            call 00007FE85CD5DA03h
                                                            mov dword ptr [004B4200h], eax
                                                            mov eax, dword ptr [004B4200h]
                                                            cmp dword ptr [eax+0Ch], 01h
                                                            jne 00007FE85CD646EAh
                                                            mov eax, dword ptr [004B4200h]
                                                            mov edx, 00000028h
                                                            call 00007FE85CD59DC8h
                                                            mov edx, dword ptr [004B4200h]

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x7fa49a0x1850
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xcb0000x110000x110001c511bbbefa0af00ebd1c04926b989f4False0.18810317095588236data3.7247469906299813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                            RT_STRING0xd8e000x3f8data0.3198818897637795
                                                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                            RT_STRING0xd94d40x430data0.40578358208955223
                                                            RT_STRING0xd99040x44cdata0.38636363636363635
                                                            RT_STRING0xd9d500x2d4data0.39226519337016574
                                                            RT_STRING0xda0240xb8data0.6467391304347826
                                                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                            RT_STRING0xda1780x374data0.4230769230769231
                                                            RT_STRING0xda4ec0x398data0.3358695652173913
                                                            RT_STRING0xda8840x368data0.3795871559633027
                                                            RT_STRING0xdabec0x2a4data0.4275147928994083
                                                            RT_RCDATA0xdae900x10data1.5
                                                            RT_RCDATA0xdaea00x310data0.6173469387755102
                                                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2981586402266289
                                                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                            Imports

                                                            DLLImport
                                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                            comctl32.dllInitCommonControls
                                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                            Exports

                                                            NameOrdinalAddress
                                                            __dbk_fcall_wrapper20x40fc10
                                                            dbkFCallWrapperAddr10x4b063c

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            No network behavior found

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:15:53:57
                                                            Start date:25/12/2024
                                                            Path:C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe"
                                                            Imagebase:0xd70000
                                                            File size:8'371'434 bytes
                                                            MD5 hash:2A2989ED741C431F4A3276264F7BDB61
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:15:53:58
                                                            Start date:25/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-MMN17.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$20470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe"
                                                            Imagebase:0xe60000
                                                            File size:3'367'424 bytes
                                                            MD5 hash:A62041070E18901131CBBE7825EC4EC7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            • Detection: 0%, Virustotal, Browse
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:15:53:59
                                                            Start date:25/12/2024
                                                            Path:C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTART
                                                            Imagebase:0xd70000
                                                            File size:8'371'434 bytes
                                                            MD5 hash:2A2989ED741C431F4A3276264F7BDB61
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:15:54:00
                                                            Start date:25/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-8D0L1.tmp\GLD6WIS3RXG4KKYJLK.tmp" /SL5="$30470,7416882,845824,C:\Users\user\Desktop\GLD6WIS3RXG4KKYJLK.exe" /VERYSILENT /NORESTART
                                                            Imagebase:0x2b0000
                                                            File size:3'367'424 bytes
                                                            MD5 hash:A62041070E18901131CBBE7825EC4EC7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000003.1832586833.00000000076E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            • Detection: 0%, Virustotal, Browse
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:15:54:02
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\timeout.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"timeout" 9
                                                            Imagebase:0x7ff6fb440000
                                                            File size:32'768 bytes
                                                            MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:15:54:02
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
                                                            Imagebase:0x7ff64b730000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                                                            Imagebase:0x7ff72e8a0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /I "wrsa.exe"
                                                            Imagebase:0x7ff632e70000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
                                                            Imagebase:0x7ff64b730000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                                                            Imagebase:0x7ff72e8a0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /I "opssvc.exe"
                                                            Imagebase:0x7ff632e70000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                                                            Imagebase:0x7ff64b730000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                                                            Imagebase:0x7ff72e8a0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:15:54:11
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /I "avastui.exe"
                                                            Imagebase:0x7ff632e70000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                                                            Imagebase:0x7ff64b730000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                                                            Imagebase:0x7ff72e8a0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /I "avgui.exe"
                                                            Imagebase:0x7ff632e70000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                                                            Imagebase:0x7ff64b730000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                                                            Imagebase:0x7ff72e8a0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /I "nswscsvc.exe"
                                                            Imagebase:0x7ff632e70000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                                                            Imagebase:0x7ff64b730000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                                                            Imagebase:0x7ff72e8a0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:15:54:12
                                                            Start date:25/12/2024
                                                            Path:C:\Windows\System32\find.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:find /I "sophoshealth.exe"
                                                            Imagebase:0x7ff632e70000
                                                            File size:17'920 bytes
                                                            MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:15:54:15
                                                            Start date:25/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\UltraMedia\IUService.exe"
                                                            Imagebase:0x400000
                                                            File size:167'432 bytes
                                                            MD5 hash:0588CE0C39DA3283E779C1D5B21D283B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.1860058588.000000000933B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Non-executed Functions

                                                              Function 5000C58C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207registrystringlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,50120000,50242008), ref: 5000C5A8
                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,50120000,50242008), ref: 5000C5C8
                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,50120000,50242008), ref: 5000C5E6
                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 5000C604
                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 5000C622
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 5000C66B
                                                              • RegQueryValueExW.ADVAPI32(?,5000C8B4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001), ref: 5000C689
                                                              • RegCloseKey.ADVAPI32(?,5000C6C7,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 5000C6BA
                                                              • lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 5000C6D7
                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 5000C6E4
                                                              • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 5000C6EA
                                                              • lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 5000C718
                                                              • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 5000C76E
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 5000C77E
                                                              • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 5000C7AE
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 5000C7BE
                                                              • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 5000C7ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
                                                              • API String ID: 3838733197-345420546
                                                              • Opcode ID: feeedae3e6eb645ae8584e3f9f28829b83a7b9d0ae490e361948e0fb3c0780ec
                                                              • Instruction ID: 6e1fecd616c3af7657caa769789cc1cef116f98790ddf8cab21a8ed1a68448cd
                                                              • Opcode Fuzzy Hash: feeedae3e6eb645ae8584e3f9f28829b83a7b9d0ae490e361948e0fb3c0780ec
                                                              • Instruction Fuzzy Hash: 586164719402597AFB10DBE4DC55FEE73FCDB08310F944262B604E65C1EBB4DA448BA5
                                                              Function 5000C390 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152stringlibraryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,50120000,50242008), ref: 5000C3AD
                                                              • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 5000C3C4
                                                              • lstrcpynW.KERNEL32(?,?,?,?,50120000,50242008), ref: 5000C3F4
                                                              • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,50120000,50242008), ref: 5000C463
                                                              • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,50120000,50242008), ref: 5000C4AB
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,50120000,50242008), ref: 5000C4BE
                                                              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,50120000,50242008), ref: 5000C4D4
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,50120000,50242008), ref: 5000C4E0
                                                              • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,50120000), ref: 5000C51C
                                                              • lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 5000C528
                                                              • lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 5000C54B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                              • String ID: GetLongPathNameW$\$kernel32.dll
                                                              • API String ID: 3245196872-3908791685
                                                              • Opcode ID: b89c123a30ed1ecf070351e2f3e41b55a218454057482099c22ae11a49ac5007
                                                              • Instruction ID: 5d7dfac9b9f2aeec60bfe0aae1cd48dcbb1e4dc617a3dbbec08934bed254d2f5
                                                              • Opcode Fuzzy Hash: b89c123a30ed1ecf070351e2f3e41b55a218454057482099c22ae11a49ac5007
                                                              • Instruction Fuzzy Hash: 65518371D006589BEB10DBE8DC94EDEB3F8EB44320F8446A5A614E7241E774EE848B90
                                                              Function 5001C0CC Relevance: 6.0, APIs: 4, Instructions: 33fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E1
                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E7
                                                              • GetLastError.KERNEL32(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C10C
                                                                • Part of subcall function 5001C048: FileTimeToLocalFileTime.KERNEL32(?), ref: 5001C078
                                                                • Part of subcall function 5001C048: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 5001C087
                                                                • Part of subcall function 5001C048: @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001C0BD
                                                              • @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C105
                                                                • Part of subcall function 5001C140: FindClose.KERNEL32(?,?,5001C10A,00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C14C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileTime$Find$System@System@@Sysutils@Unicode$Array$qqrr20Char$qqrx20CloseClose$qqrr19DateErrorFirstFromLastLocalSearchStringStringpbi
                                                              • String ID:
                                                              • API String ID: 2742389685-0
                                                              • Opcode ID: 0e6a76c3268d9445fd7af8d569e44dfda8a80cbea70c39b2be0f1572241ae030
                                                              • Instruction ID: b28d0052824deb1cb2ffbfc90362c48fba345adbb55124768b9dcd6cc0dc1853
                                                              • Opcode Fuzzy Hash: 0e6a76c3268d9445fd7af8d569e44dfda8a80cbea70c39b2be0f1572241ae030
                                                              • Instruction Fuzzy Hash: 1CE02B73B021A0171B155FBC6CC189E61C84B956B03490377FA18EB307D628CC4643D0
                                                              Function 5001D4C4 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 5001D4E5
                                                              • @System@@_llmul$qqrv.RTL120(?,00000000,?,?,?,?,?,?), ref: 5001D507
                                                              • @System@@_llmul$qqrv.RTL120(?,00000000,?,?,?,?,?,?), ref: 5001D521
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@_llmul$qqrv$DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 50643528-0
                                                              • Opcode ID: f4eae7a069fc1b4a7a09ee1b588b4b1cdc4b33683fb77737d06db2c0557a1bba
                                                              • Instruction ID: 0c4a846b8cec236fdab0fe660197de8149f70c443eb820fd00f8eb9c4a30d1bf
                                                              • Opcode Fuzzy Hash: f4eae7a069fc1b4a7a09ee1b588b4b1cdc4b33683fb77737d06db2c0557a1bba
                                                              • Instruction Fuzzy Hash: 56111EB5E01609AF9B04CF99C881DEFF7F9FFC8300B54C56AA408E7251E6319A418BA0
                                                              Function 50025B78 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                                • Part of subcall function 50009E7C: @System@@NewUnicodeString$qqri.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E87
                                                                • Part of subcall function 50009E7C: @System@Move$qqrpxvpvi.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E9A
                                                                • Part of subcall function 50009E7C: @System@@LStrClr$qqrpv.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009EA1
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,00000100), ref: 50025BB5
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$Asg$qqrr20CharClr$qqrpvFromInfoLen$qqrr20LocaleMove$qqrpxvpviStringString$qqriStringpbiStringx20
                                                              • String ID:
                                                              • API String ID: 2480292918-0
                                                              • Opcode ID: f3b23d1520dd777e6de74430a20c1e1662166f9bdb97bcc231c44e790fac31a6
                                                              • Instruction ID: ee238ebe49bff76439ed0bffe6765605e5bc4c903d09b655318257ab77e93168
                                                              • Opcode Fuzzy Hash: f3b23d1520dd777e6de74430a20c1e1662166f9bdb97bcc231c44e790fac31a6
                                                              • Instruction Fuzzy Hash: 6EE0D87170225417F7149598EC96AEAB35DD758300F4043ABBE09C7342EEB09D4043E9
                                                              Function 5001BB34 Relevance: 4.5, APIs: 3, Instructions: 24fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 5001BB48
                                                              • FindClose.KERNEL32(00000000,?,?), ref: 5001BB53
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,?,?), ref: 5001BB6C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFileFirstMove$qqrpxvpviSystem@
                                                              • String ID:
                                                              • API String ID: 1082176048-0
                                                              • Opcode ID: 9d8fc8d053a47d63c99a6f4b7e011e5fc562af016db690a0ecbb1cefa599b471
                                                              • Instruction ID: f68efd2bf0167bcec839e993e54c55a87f930c309dd978e39b41fb5caf42e4be
                                                              • Opcode Fuzzy Hash: 9d8fc8d053a47d63c99a6f4b7e011e5fc562af016db690a0ecbb1cefa599b471
                                                              • Instruction Fuzzy Hash: 8CE0923180858887DB20EEB48CC9ADA739CAB80320F500B52B938C31D0EBB0D99486D1
                                                              Function 5001BD10 Relevance: 4.5, APIs: 3, Instructions: 23fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?), ref: 5001BD25
                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 5001BD2B
                                                              • FindClose.KERNEL32(00000000,00000000,?), ref: 5001BD36
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$Char$qqrx20CloseFileFirstStringSystem@System@@Unicode
                                                              • String ID:
                                                              • API String ID: 1585263303-0
                                                              • Opcode ID: 239c0e209828f38da2e02186cda94bba796cab7fda1a68a6d257b04a1d91825f
                                                              • Instruction ID: a0d28535419e6d5ff69c5a3c2a29d04606291631ed661be052c53aa7cb72f55c
                                                              • Opcode Fuzzy Hash: 239c0e209828f38da2e02186cda94bba796cab7fda1a68a6d257b04a1d91825f
                                                              • Instruction Fuzzy Hash: 40E0C2A25096C812DF1069F96C8A79BB2CC5B44224F840BA2796CE25D2FB78899400D5
                                                              Function 5000C2EC Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(50120000,?,0000020A), ref: 5000C30A
                                                              • @System@LoadResourceModule$qqrpbo.RTL120(50120000,?,0000020A), ref: 5000C313
                                                                • Part of subcall function 5000C58C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,50120000,50242008), ref: 5000C5A8
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,50120000,50242008), ref: 5000C5C8
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,50120000,50242008), ref: 5000C5E6
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 5000C604
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 5000C622
                                                                • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 5000C66B
                                                                • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,5000C8B4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001), ref: 5000C689
                                                                • Part of subcall function 5000C58C: RegCloseKey.ADVAPI32(?,5000C6C7,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 5000C6BA
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Open$FileModuleNameQueryValue$CloseLoadModule$qqrpboResourceSystem@
                                                              • String ID:
                                                              • API String ID: 2494118284-0
                                                              • Opcode ID: 497cbbe01210680b9eb75a8a48ad75587f7f44726e523d6886d2e020856a3897
                                                              • Instruction ID: 1d1766b6d6bdf7e2d7684c9af6fc5eeb11ad942625cb0d89418ba6028d03f5c9
                                                              • Opcode Fuzzy Hash: 497cbbe01210680b9eb75a8a48ad75587f7f44726e523d6886d2e020856a3897
                                                              • Instruction Fuzzy Hash: B0E06D71A013508BEB04CFA8D8C1E8633D4AB08624F444A51EC14CF247D370DD1087E1
                                                              Function 50025BC4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,50028D40,00000000,50028F6A,?,?,00000000,00000000), ref: 50025BD7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 64096e9f78111220e5717306f949647381f25a1b5c5fd3ff25ac5a1514f66389
                                                              • Instruction ID: 8a847ad23c83f2510ddf9e576e5277f997b55b2555d1b1e074aea99a7d1e5b6f
                                                              • Opcode Fuzzy Hash: 64096e9f78111220e5717306f949647381f25a1b5c5fd3ff25ac5a1514f66389
                                                              • Instruction Fuzzy Hash: 0BD02EAA30E2A026E210415BBD42DFB46CCCBC4372F484136BA08C2102E620CC00C3B0
                                                              Function 50022830 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID:
                                                              • API String ID: 481472006-0
                                                              • Opcode ID: 449684beae46f2d3532cd87c13f45d50b14c143529009afe056ee12052635846
                                                              • Instruction ID: 603b05ba210550ab35cb675da7c298ca264b39312a6da9293f8d4f7aa50b5376
                                                              • Opcode Fuzzy Hash: 449684beae46f2d3532cd87c13f45d50b14c143529009afe056ee12052635846
                                                              • Instruction Fuzzy Hash: 22A012408058A101954027180C0323430409910620FC8474178FC502D1ED1D012081D7
                                                              Function 5000ED44 Relevance: .4, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ab3d6a071e3239a749166a548f6c1898b499ecd4e4622bb1771b523fb6e4014
                                                              • Instruction ID: cf3d65e411f67d36cb327356722faaf4ffd90df9c04122c1e780dd8bf9108d71
                                                              • Opcode Fuzzy Hash: 0ab3d6a071e3239a749166a548f6c1898b499ecd4e4622bb1771b523fb6e4014
                                                              • Instruction Fuzzy Hash: DAF1947150C3C29ED30F9F78D9BA462BF78AF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED4C Relevance: .4, Instructions: 394COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f68a0ee42bad41083b725cb94409a6de38f69b221a3fc83a9f099034932e1ce
                                                              • Instruction ID: 623bf9785b26179497a02cefc865e4979d99708ed956c8decc308c5a69dd3a67
                                                              • Opcode Fuzzy Hash: 3f68a0ee42bad41083b725cb94409a6de38f69b221a3fc83a9f099034932e1ce
                                                              • Instruction Fuzzy Hash: 53E1947150C3C29ED30F9F78D9BA462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED54 Relevance: .4, Instructions: 391COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7795a1473a7c61111f84970f22bff7f546545ce909f46c2ed6b45f5248676fb3
                                                              • Instruction ID: d357be01ad1ed8bbc4a81fdda7f73553e1ff39974d2e9d062a8c02bd88cea2d7
                                                              • Opcode Fuzzy Hash: 7795a1473a7c61111f84970f22bff7f546545ce909f46c2ed6b45f5248676fb3
                                                              • Instruction Fuzzy Hash: C1E1A57150C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED5C Relevance: .4, Instructions: 388COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09281ff9f0759fea031d69b3b10a7a7455a2a3da826bae2feefb939c0fecd2e0
                                                              • Instruction ID: 2c2b1e8392d440b232bd510d048889bcce92fb2e970989f3d31edeb92bae1ad3
                                                              • Opcode Fuzzy Hash: 09281ff9f0759fea031d69b3b10a7a7455a2a3da826bae2feefb939c0fecd2e0
                                                              • Instruction Fuzzy Hash: AAE1947150C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02456DB26
                                                              Function 5000ED64 Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a03802ffd5065ed10c123a2a6b56796119c67b128c32b7efb3b90e385ac3e180
                                                              • Instruction ID: b2146e3e37d2e4da3cf9ca4c436ff6266fd64a610200a9af604fb3da6cf7750b
                                                              • Opcode Fuzzy Hash: a03802ffd5065ed10c123a2a6b56796119c67b128c32b7efb3b90e385ac3e180
                                                              • Instruction Fuzzy Hash: 7AE1A47150C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED6C Relevance: .4, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 002ba549d9fbb37009a791c4e7c0c744c3e0ef08953a6269b87ae883cb7d3a02
                                                              • Instruction ID: 1d158882553652dfab68dfea6998fe8ddd731fcb597efa41897c1918ae5860be
                                                              • Opcode Fuzzy Hash: 002ba549d9fbb37009a791c4e7c0c744c3e0ef08953a6269b87ae883cb7d3a02
                                                              • Instruction Fuzzy Hash: 2AE1957150C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A06452DB26
                                                              Function 5000ED74 Relevance: .4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2938fcebdbeb12a1a55c8c6355bfb2aa37085d739ea7c214981492d367589a1f
                                                              • Instruction ID: d943c7b09c133992d15b184f76b9cdbb8ddc8506f46618e3befca7a1bf030c8b
                                                              • Opcode Fuzzy Hash: 2938fcebdbeb12a1a55c8c6355bfb2aa37085d739ea7c214981492d367589a1f
                                                              • Instruction Fuzzy Hash: FDE1A47150C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED7C Relevance: .4, Instructions: 378COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 239d208888538ebe00c2d791575b5cd81988bbfc86e51d5946e510efe69cc01f
                                                              • Instruction ID: 20c528f272a86095bb7c5ceed0ec5ded17a9c75002dbcecaefe77a1837d448a6
                                                              • Opcode Fuzzy Hash: 239d208888538ebe00c2d791575b5cd81988bbfc86e51d5946e510efe69cc01f
                                                              • Instruction Fuzzy Hash: 08E1A47151C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED84 Relevance: .4, Instructions: 374COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0af2b9bd0b250f50a78ed0df427d416faedf1c4701e44a6c363b6a6f87fcdd5d
                                                              • Instruction ID: f92d1c26e8fc610f87852d6c1fa3c7de4f287dd9c82bcd5a404f0d821355a37a
                                                              • Opcode Fuzzy Hash: 0af2b9bd0b250f50a78ed0df427d416faedf1c4701e44a6c363b6a6f87fcdd5d
                                                              • Instruction Fuzzy Hash: 72E1A37151C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED8C Relevance: .4, Instructions: 370COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bae2219d3e6c40f7fcff94c841acd71e14011e7885d23e4f724b67892208f03a
                                                              • Instruction ID: 79eeb55f7e8df099ef6dc6d45a654169f85158cca79c3345fdd39d16511b0044
                                                              • Opcode Fuzzy Hash: bae2219d3e6c40f7fcff94c841acd71e14011e7885d23e4f724b67892208f03a
                                                              • Instruction Fuzzy Hash: 4AE1A47151C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED94 Relevance: .4, Instructions: 366COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5740504af890fbe9c82cfae9013af95f5dc5f30776625e1ef7ac853df68a78ae
                                                              • Instruction ID: 673aa8c770a1448f9313a884b3fcf068329fe609e3a42f9c34e8363f93c037db
                                                              • Opcode Fuzzy Hash: 5740504af890fbe9c82cfae9013af95f5dc5f30776625e1ef7ac853df68a78ae
                                                              • Instruction Fuzzy Hash: DBE1A57151C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000ED9C Relevance: .4, Instructions: 362COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48c5001ccdd30bdaea37574e507703dea2a688ec9bf04f7a3444a311bff6ac07
                                                              • Instruction ID: 71839c78f389429378db614f0d890840cd755a8358e8b7c79fe2ac7bdfbcd1c6
                                                              • Opcode Fuzzy Hash: 48c5001ccdd30bdaea37574e507703dea2a688ec9bf04f7a3444a311bff6ac07
                                                              • Instruction Fuzzy Hash: 91D1B57151C3C29ED30F9F78D97A462BF7CAF0762130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000EDA4 Relevance: .4, Instructions: 358COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd1f5e48da3f5a727a65280e82594ad002c4218eb960b96d24b178714e16ef81
                                                              • Instruction ID: afa7a4128530f0c6d879e904841c62b302c0d1f7509824f7a6380ea9e3e8d33a
                                                              • Opcode Fuzzy Hash: fd1f5e48da3f5a727a65280e82594ad002c4218eb960b96d24b178714e16ef81
                                                              • Instruction Fuzzy Hash: 84D1B47150C3C29ED30F9F78D97A462BF78AF0762130A55DBD8869F0A3D2A02452DB26
                                                              Function 5000EDAC Relevance: .4, Instructions: 354COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 787fbb6628fee2ac3730d7f81a1b629c7d34cdfc688c3e18552809c5b646b991
                                                              • Instruction ID: 1faea8fc3d2d59b6ef8388d302c2e7037bd35fc24a74b3f80c8e1286a599d502
                                                              • Opcode Fuzzy Hash: 787fbb6628fee2ac3730d7f81a1b629c7d34cdfc688c3e18552809c5b646b991
                                                              • Instruction Fuzzy Hash: D2D1B47150C3C29ED30F9F78D97E462BF78AF0762130A55DBD8869F0A3D2A02456DB26
                                                              Function 5000EDB4 Relevance: .4, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d60e7a4e29c529934f0c000ba190dc11f10288fd6ad8734dda35598b7e64084
                                                              • Instruction ID: 1ee0fdbd5163d5be7ca7139df472130be46db4135d2110bd2b1cb8a3c5fc18ea
                                                              • Opcode Fuzzy Hash: 8d60e7a4e29c529934f0c000ba190dc11f10288fd6ad8734dda35598b7e64084
                                                              • Instruction Fuzzy Hash: 29D1B47150C3C29ED30F9F78D97E462BF78AF0762130A55DBD8869F0A3D2A02456DB26
                                                              Function 5000EDBC Relevance: .3, Instructions: 346COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee58d4c6d9fe5c269fa5f65091a72cbdb238fc497ba93d8ae0318654775cf861
                                                              • Instruction ID: f13c0821e0a88796a322d56e4604ada4d6a0f2d36326120f9b930bc4ed1d177d
                                                              • Opcode Fuzzy Hash: ee58d4c6d9fe5c269fa5f65091a72cbdb238fc497ba93d8ae0318654775cf861
                                                              • Instruction Fuzzy Hash: D2D1C57150C3C28ED30F9B78D97E462BF78AF0762130B55DBD8869F0A3D2A02446DB26
                                                              Function 5000EDC4 Relevance: .3, Instructions: 342COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee3c18802167132e8c04bb56d6897100ef5eba22562804eba69142bc363e3b5e
                                                              • Instruction ID: ff7f14ca69c049558ac9a1f47fead13594cf7747be4ae92742919f7fc0293745
                                                              • Opcode Fuzzy Hash: ee3c18802167132e8c04bb56d6897100ef5eba22562804eba69142bc363e3b5e
                                                              • Instruction Fuzzy Hash: 0BD1B57150C3C28ED30F9B78D97E462BF78AF0752130B55DBD8869F0A3D2A06446DB26
                                                              Function 5000F29C Relevance: .2, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5b7ce5f1bd29568cd702b8541d64a19a8fcf3b5983f72056636acab067d6480
                                                              • Instruction ID: 06e3d7a71241e797825eaccadbe948c7490e40622fb21ac53e74e808abd9ef1f
                                                              • Opcode Fuzzy Hash: a5b7ce5f1bd29568cd702b8541d64a19a8fcf3b5983f72056636acab067d6480
                                                              • Instruction Fuzzy Hash: CE91F37050C3C24ED70FDB38CABA922BF699F0B51470A55DBC486AF5B3D7906842DB62
                                                              Function 5000DCAC Relevance: .2, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91cc2a661582e29468783bc2075891de62d35c2e7aa0e806e32a3c3503f7b550
                                                              • Instruction ID: 2a11580a50f55571f2af85791b2959ef5865c5f22584c304189c1559e8078ba0
                                                              • Opcode Fuzzy Hash: 91cc2a661582e29468783bc2075891de62d35c2e7aa0e806e32a3c3503f7b550
                                                              • Instruction Fuzzy Hash: 7091A37150C3C28ED70F9F38C9BA522BF78AF0B61170A55DBC4869F5A3D3A06442DB62
                                                              Function 5000F2A4 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9c36895f99b22c1401cbcc469f8d270c7c943148079bc1f8e47b13ac7c363ac
                                                              • Instruction ID: 09809adc1bb568170ff5f6e2d7a4ebd6ef812ad8176ab9d7b94ad2b34fc05929
                                                              • Opcode Fuzzy Hash: c9c36895f99b22c1401cbcc469f8d270c7c943148079bc1f8e47b13ac7c363ac
                                                              • Instruction Fuzzy Hash: BA91F37040C3C24ED70FDB38CABA922BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                              Function 5000DCB4 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e6ea0cdcfb07c83a4dce47db69e1907207b627198ca1b0637e637cffdd40311
                                                              • Instruction ID: 00da296747786b4953835044333f2d643378281325e5fda37e81ccf228ec5755
                                                              • Opcode Fuzzy Hash: 3e6ea0cdcfb07c83a4dce47db69e1907207b627198ca1b0637e637cffdd40311
                                                              • Instruction Fuzzy Hash: A191A47150C3C28ED70F9F38C9BA522BF78AF0B61170A55DBC4869F5A3D3A06442DB62
                                                              Function 5000F2AC Relevance: .2, Instructions: 213COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5b03887ff2b15b0425ac1c0650899d8f5861e4a263344996ed84b7da33d0308
                                                              • Instruction ID: 6461a43e94e58dd2132ad16f7d0fb8ba01124966c0df3d354d2ec985681c42b8
                                                              • Opcode Fuzzy Hash: e5b03887ff2b15b0425ac1c0650899d8f5861e4a263344996ed84b7da33d0308
                                                              • Instruction Fuzzy Hash: E081F47040C3C24ED70FDB78CABA922BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                              Function 5000DCBC Relevance: .2, Instructions: 213COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45c0f604bbfdb9464c5040e02036aa94bc5cfb93b15804faa954d316121ea852
                                                              • Instruction ID: 986205d084decb3d7d15f7e9581cd18c347b0e38c11934d332288a11c09d0644
                                                              • Opcode Fuzzy Hash: 45c0f604bbfdb9464c5040e02036aa94bc5cfb93b15804faa954d316121ea852
                                                              • Instruction Fuzzy Hash: FC81B57150C3C28ED70F9F38C9BA522BF78AF0B61170A55DBC4868F5A3D3A06442DB62
                                                              Function 5000F2B4 Relevance: .2, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d70d7809b1ed57dce9bb997e6b137fef8791300e227ea88555fc08468ae81e1
                                                              • Instruction ID: 2bc03eee88f559ef2646e36d307fb87da0091340c7b03e6017c410b9465afe08
                                                              • Opcode Fuzzy Hash: 2d70d7809b1ed57dce9bb997e6b137fef8791300e227ea88555fc08468ae81e1
                                                              • Instruction Fuzzy Hash: 8681F67040C3C24ED70FDB78CABA522BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                              Function 5000DCC4 Relevance: .2, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1f09bfcb28e81f3d00ee3158542e27e73f6a68b29bd50d3cd3cadef56f25971
                                                              • Instruction ID: c7f3d6054dac8d3f373e15e9cc763a3a4ba362345595d5b7a90a364a227e495b
                                                              • Opcode Fuzzy Hash: d1f09bfcb28e81f3d00ee3158542e27e73f6a68b29bd50d3cd3cadef56f25971
                                                              • Instruction Fuzzy Hash: 8381A57150C3C28ED70F9F78C9BA522BF78AF0B61170A55DBC4868F5A3D3A06452DB62
                                                              Function 5000F2BC Relevance: .2, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b327dba183ddcc38977505eb055f4c1f4f03f41c96abc7753d347c5fa001935
                                                              • Instruction ID: d5b454c5f803bfd8833c091c11673d3db061567e5d4c6602e48e7f663dae7a99
                                                              • Opcode Fuzzy Hash: 8b327dba183ddcc38977505eb055f4c1f4f03f41c96abc7753d347c5fa001935
                                                              • Instruction Fuzzy Hash: A781F67040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                              Function 5000DCCC Relevance: .2, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca4da8b7fafc8cf3d7d180b2497616528ff8bdd4ae61ace48ec5688d1d523b27
                                                              • Instruction ID: 1139e17bbb5a3c82c85eec867f1e244cba8fa962432875c5c65bfee224c40568
                                                              • Opcode Fuzzy Hash: ca4da8b7fafc8cf3d7d180b2497616528ff8bdd4ae61ace48ec5688d1d523b27
                                                              • Instruction Fuzzy Hash: A881A67050C2C28ED70F9F78C9BA522BF78AF0B61170A55DBC4868F5A3D3A06452DB62
                                                              Function 5000F2C4 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea0085e54ef671a4454b70ed5fabf586dc7ed14050bc697cd4efa35de4b52d1d
                                                              • Instruction ID: 84ed9799e497ed55fcc895262189320192188b27392e655d5ef533ca0f380f93
                                                              • Opcode Fuzzy Hash: ea0085e54ef671a4454b70ed5fabf586dc7ed14050bc697cd4efa35de4b52d1d
                                                              • Instruction Fuzzy Hash: 9A81F77040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF4B3D3906442DB62
                                                              Function 5000DCD4 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f0288407627ff7e1734651c709e95db598b32966f3bb54d91905b2d996eeeb3
                                                              • Instruction ID: c07968b843fae4b2e85711d6b3a8942369372b912c213f6b3d0bae1d48987523
                                                              • Opcode Fuzzy Hash: 9f0288407627ff7e1734651c709e95db598b32966f3bb54d91905b2d996eeeb3
                                                              • Instruction Fuzzy Hash: 1A81A77050C2C28FD70F9F78C9BA522BF78AF0761170A55DBC4868F5A3D7A06452DB62
                                                              Function 5000F2CC Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fbc5a2e3ab141828eb524af85a265b7db7f56f5ab55cbc6a21b605f7461f2874
                                                              • Instruction ID: 3dfdf488f0e3ddff12e883dbb6bb51a29168363f7489c622bac247c95a68a569
                                                              • Opcode Fuzzy Hash: fbc5a2e3ab141828eb524af85a265b7db7f56f5ab55cbc6a21b605f7461f2874
                                                              • Instruction Fuzzy Hash: 6681E77040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF4B3C3906482DB62
                                                              Function 5000DCDC Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 771eb79a5a42de7f39fc37456eb625840c220c8d5ded9b6480566c06e6be33ee
                                                              • Instruction ID: 4a07d5138fa47fb327356e0eb918d6fe67504a3ff583ca6a90c31d3c0b6f9109
                                                              • Opcode Fuzzy Hash: 771eb79a5a42de7f39fc37456eb625840c220c8d5ded9b6480566c06e6be33ee
                                                              • Instruction Fuzzy Hash: 8781A87050C2C28FD70F9F78CABA522BF78AF0761170A55DBC4864F5A3C7A06452DB62
                                                              Function 5000F2D4 Relevance: .2, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d33b1783f7d168a3b01edc894eca7076b23492883445590bf6fc8fe9629e728
                                                              • Instruction ID: c95cdcc651d02856029d5b25d6ca25b348cffa19a53626214191cb434df38b8f
                                                              • Opcode Fuzzy Hash: 0d33b1783f7d168a3b01edc894eca7076b23492883445590bf6fc8fe9629e728
                                                              • Instruction Fuzzy Hash: 0C71D77040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF5B3C7906482DB62
                                                              Function 5000DCE4 Relevance: .2, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d0a774a6467c9be942c09c9474b4fc0e680752b228083bce70472f3bcaffcda
                                                              • Instruction ID: c4199fc0d5dc45f24a729f20239d329016e0f63531a52e743413dec13d25e6b6
                                                              • Opcode Fuzzy Hash: 1d0a774a6467c9be942c09c9474b4fc0e680752b228083bce70472f3bcaffcda
                                                              • Instruction Fuzzy Hash: 8C81A5705082C28FD70F9F68CABA522BF78AF0B61170A55DBC4864F5A3C7A06452DB62
                                                              Function 5000F2DC Relevance: .2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d68a046028d4ea755d48d8bf440a3e1feb3c029c7f97068efb76b5d48ddeaf51
                                                              • Instruction ID: e6389e2d4f130a566ea5a8116b624573a766af97e2dbde44a3e1aa9483da6a51
                                                              • Opcode Fuzzy Hash: d68a046028d4ea755d48d8bf440a3e1feb3c029c7f97068efb76b5d48ddeaf51
                                                              • Instruction Fuzzy Hash: F071D73040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF5B3C7906492DB62
                                                              Function 5000DCEC Relevance: .2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df6b94dadef6be3c1e5a4f86748ccf45993b35100733b3d7265c2d7548da99fb
                                                              • Instruction ID: c6c463696a87d4da3f4a7dcc969b068ecc595b8bd3b8d10637434b7a6a387777
                                                              • Opcode Fuzzy Hash: df6b94dadef6be3c1e5a4f86748ccf45993b35100733b3d7265c2d7548da99fb
                                                              • Instruction Fuzzy Hash: 4D7197705082C28FD70FDF68CABA521BF78AF0B61170A55DBC4864F5A3C7A06452DB62
                                                              Function 5000F2E4 Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80378e959a7cb2c15ab34176bb159953e1498dc9de79dbdc9ce5628ee883ed25
                                                              • Instruction ID: f1283e0734e9067825260d2f0601af00587d4d0a1c238bb49ff5f99635958643
                                                              • Opcode Fuzzy Hash: 80378e959a7cb2c15ab34176bb159953e1498dc9de79dbdc9ce5628ee883ed25
                                                              • Instruction Fuzzy Hash: 7F71D83040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF4B3C7906492DB62
                                                              Function 5000DCF4 Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f336f071921c1deffaacc52c3fbc51a73977b4f1e45f8c6cc7bca039e13daeda
                                                              • Instruction ID: aff02ff4e596728b37126d24b6feb0e7f20e944b2881405fbc199bd2ff895694
                                                              • Opcode Fuzzy Hash: f336f071921c1deffaacc52c3fbc51a73977b4f1e45f8c6cc7bca039e13daeda
                                                              • Instruction Fuzzy Hash: 4C71A5705082C28FD70F9F68CABA521BF78AF0B61170A55DBC4864F5A3C7A06452DB62
                                                              Function 5000F2EC Relevance: .2, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d3196cdfe61973e1df95fbd4e3c6404e6db5a21c4807a53fab2a13f7f27f24d3
                                                              • Instruction ID: a635fb495002b1fa6ad59cccb1ba20dfda2d42e362cbf6c4f26525b0dfad379b
                                                              • Opcode Fuzzy Hash: d3196cdfe61973e1df95fbd4e3c6404e6db5a21c4807a53fab2a13f7f27f24d3
                                                              • Instruction Fuzzy Hash: D471E73040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF4B3C3906492DB62
                                                              Function 5000DCFC Relevance: .2, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6f28c979e5ff699d90389eb1482e26306fd29095d0ba2e42b49f52912b5cc80
                                                              • Instruction ID: 632ebdf8c4e80e464696d5600a9d5517a794a74a362cfc9f4aa99e0d4827feaf
                                                              • Opcode Fuzzy Hash: d6f28c979e5ff699d90389eb1482e26306fd29095d0ba2e42b49f52912b5cc80
                                                              • Instruction Fuzzy Hash: 6371A47050C2C28FD70F9F68CABA521BF78AF0B61170A55DBC8864F4A3C7A06452DB22
                                                              Function 5000F2F4 Relevance: .2, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bba6cc12655a4ca93616e249411b1fe39034da66fcf825181d80a802e35fa47f
                                                              • Instruction ID: b80117d3c9cc2010ed02aace2a1880f8023a97cd760a4a8a8143f6286c2cb1a6
                                                              • Opcode Fuzzy Hash: bba6cc12655a4ca93616e249411b1fe39034da66fcf825181d80a802e35fa47f
                                                              • Instruction Fuzzy Hash: A071E73040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF4B3C2906452DB62
                                                              Function 5000DD04 Relevance: .2, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a24ab285e8210baaec5ba7c24cad2567c15d0afffefc3d4ec86d052c3240862e
                                                              • Instruction ID: e9e4d168cb506e4d19d015b94a2b8867553e72034c85ec7158d8850bdee2f447
                                                              • Opcode Fuzzy Hash: a24ab285e8210baaec5ba7c24cad2567c15d0afffefc3d4ec86d052c3240862e
                                                              • Instruction Fuzzy Hash: ED71947150C2C28ED70F9F68CABA525BF78AF0B61170A55DBC8864F4A3C7A06452DB22
                                                              Function 5000F2FC Relevance: .2, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4d896bdf481e9000c02186237f80c106220750dc278a7fc936ee15101a7e37c
                                                              • Instruction ID: a11d640b4bb9680e62f70268a3b797891413f54f48ac5fdda5ed72919d0e2944
                                                              • Opcode Fuzzy Hash: f4d896bdf481e9000c02186237f80c106220750dc278a7fc936ee15101a7e37c
                                                              • Instruction Fuzzy Hash: 3071F63040C3C24EE70FEB78CABA525BF6D9F0B51470A55DBC486AF4B3C2906852DB62
                                                              Function 5000DD0C Relevance: .2, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c7d7a8afe0f66953839ba0d591ee185f980b367a43c97055d8ae7a079148e8a
                                                              • Instruction ID: f15b008373883dca17efc64f23f87784bf9db9f5fac34ee2802e9b22d9dce57a
                                                              • Opcode Fuzzy Hash: 5c7d7a8afe0f66953839ba0d591ee185f980b367a43c97055d8ae7a079148e8a
                                                              • Instruction Fuzzy Hash: DB71957150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC8865F4B3C7A06452DB22
                                                              Function 5000F304 Relevance: .2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f480fcb60482c1f735d2922d9cb765a4723add86f0036eeac60d6a29b57428c
                                                              • Instruction ID: d1edfa83ea6befa6ba0f7e2a70f29aa9079fc2a9dc0cb0ac4140677165f10674
                                                              • Opcode Fuzzy Hash: 5f480fcb60482c1f735d2922d9cb765a4723add86f0036eeac60d6a29b57428c
                                                              • Instruction Fuzzy Hash: 6F71F53040C3C24ED70FEB78CABA521BF699F0B51470A55DBC486AF4B3C2906842DB62
                                                              Function 5000DD14 Relevance: .2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba3e432b4e083c34034678db91aa4d0369d936bd2730ad969296dd81233f0ec7
                                                              • Instruction ID: 2d7a8e7bf5f428d51be1d56c1917b69c19f1f8a9d96a60eda3087d960db9a654
                                                              • Opcode Fuzzy Hash: ba3e432b4e083c34034678db91aa4d0369d936bd2730ad969296dd81233f0ec7
                                                              • Instruction Fuzzy Hash: 0D71847150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC4869F4B3C7A06452DB22
                                                              Function 5000F30C Relevance: .2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca19611ee3cbc4005089650f54ea93ad1a36ab3eb2ccfe01c1dca5af9527e724
                                                              • Instruction ID: df4dd0dfa5083b123c4582445d681a2a2a586d8616795fb32ef87ea88557f241
                                                              • Opcode Fuzzy Hash: ca19611ee3cbc4005089650f54ea93ad1a36ab3eb2ccfe01c1dca5af9527e724
                                                              • Instruction Fuzzy Hash: 7D61E37140C3C24ED70FEB788ABA911BF699F0B51470E56CBC486AF4B3C6906852DB62
                                                              Function 5000DD1C Relevance: .2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abc6b11e87067304c92c2c1e109b7c062e8ad43041ba1f81f298fa8c65ad50e6
                                                              • Instruction ID: f0c00c031784dec364f1ad882624c9a4130f079a8bd65a81d607442679c623d0
                                                              • Opcode Fuzzy Hash: abc6b11e87067304c92c2c1e109b7c062e8ad43041ba1f81f298fa8c65ad50e6
                                                              • Instruction Fuzzy Hash: 5F71837150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC4869F4B3C7A06452DB22
                                                              Function 5000F314 Relevance: .2, Instructions: 175COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb5c2b24833f8858918156b1e329fdc8cb702be7f90d728338c3e7cd29505e22
                                                              • Instruction ID: 9225bef96d409bbe89d64ea15d5ccd9c372acae3ccc2f5ff3bfb461466962ed0
                                                              • Opcode Fuzzy Hash: fb5c2b24833f8858918156b1e329fdc8cb702be7f90d728338c3e7cd29505e22
                                                              • Instruction Fuzzy Hash: 8461D57140C3C24ED70FDB788ABA515BF6D9F0B51470E55CBC486AF4B3C6906452DB62
                                                              Function 5000DD24 Relevance: .2, Instructions: 175COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd33e47fe2ed60b6c855f5020c94225a2e47ccfc907373729f6b9ff39f5c7378
                                                              • Instruction ID: bf9a4032b2f9ec18e9d4a08f838bd657c1ebfd012cae3ebb60bfedacbbd18020
                                                              • Opcode Fuzzy Hash: dd33e47fe2ed60b6c855f5020c94225a2e47ccfc907373729f6b9ff39f5c7378
                                                              • Instruction Fuzzy Hash: 0B61827150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC4869F4B3C7A06452DB22
                                                              Function 5000F31C Relevance: .2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4bc505875f44a2ddfdd3551fb8b42b15dc74e1f0fac2767638191d58dc42ff13
                                                              • Instruction ID: be88f5dab6fc5cfd703824adeed4eb77a9afe75e0fb7168a8e627e48092cf26d
                                                              • Opcode Fuzzy Hash: 4bc505875f44a2ddfdd3551fb8b42b15dc74e1f0fac2767638191d58dc42ff13
                                                              • Instruction Fuzzy Hash: 7A61D47140C3C24ED70FDB788ABA511BF6D9F0B51470E55CBC486AF0B3C6906452DB62
                                                              Function 5000DD2C Relevance: .2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b725eef5ad99bb8057f438e832bf35a869ee1405e1851f33d765ea914096622f
                                                              • Instruction ID: aca0205620e2bf9695ad597e2bab7fe479694239609729d6310e16d4d5db9ad3
                                                              • Opcode Fuzzy Hash: b725eef5ad99bb8057f438e832bf35a869ee1405e1851f33d765ea914096622f
                                                              • Instruction Fuzzy Hash: 1D61827150C2C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4B3C7A06452DB22
                                                              Function 5000F324 Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eac897ece386800e45fea07a5fc7c0335547c27458899b17c80e44664faeabdb
                                                              • Instruction ID: 9f546fd0fda7a769f50d8f5f52bd7edcb33f3e9077512e58a8760b6f43d3905b
                                                              • Opcode Fuzzy Hash: eac897ece386800e45fea07a5fc7c0335547c27458899b17c80e44664faeabdb
                                                              • Instruction Fuzzy Hash: 4F61C46140C3C24ED70FDB788ABA511BF6D9F0B51470E59CBC486AF0B3C6906852DB62
                                                              Function 5000DD34 Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8a9bf1e393b38c487c1074cbcee704143fe181cee99b7b2b89905b9438a6c9e
                                                              • Instruction ID: 9a531cb18fe53c93856050b20e92668dbfbdf12e7fbed7396a6edf4162319ec7
                                                              • Opcode Fuzzy Hash: d8a9bf1e393b38c487c1074cbcee704143fe181cee99b7b2b89905b9438a6c9e
                                                              • Instruction Fuzzy Hash: F561817150C2C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4A3C7A06452DB22
                                                              Function 5000F32C Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50230cbe45e393f920eab3dab4ccc720aa2bb1d14e02d5edc645a00fc6ea3cb0
                                                              • Instruction ID: 939ee4c5950a32b818b916ab0b769d4ffac07a44e4cb748d496a64e8fa391117
                                                              • Opcode Fuzzy Hash: 50230cbe45e393f920eab3dab4ccc720aa2bb1d14e02d5edc645a00fc6ea3cb0
                                                              • Instruction Fuzzy Hash: D261C36140C3C24ED70FEB788ABA511BF6D9F0B51470E5ACFC486AF0B3C6906852DB62
                                                              Function 5000DD3C Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 347831462371e6d8aa6b3b234ef8370ae0fbd6754df0e0fb7f9ded145cc5459b
                                                              • Instruction ID: 877b05385b165a2535cdd4086bbe6134b2f1774e6eaa9de0d642b2b1631edb52
                                                              • Opcode Fuzzy Hash: 347831462371e6d8aa6b3b234ef8370ae0fbd6754df0e0fb7f9ded145cc5459b
                                                              • Instruction Fuzzy Hash: 2861707150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4A3C7A06452DB22
                                                              Function 5000F334 Relevance: .2, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2bdbb71a169f4e520d203e2360d06ba64e4aa1061de17a3eae5dcd7d15dda08
                                                              • Instruction ID: f61edfbee76f3585ea46a2ad5b416e26da60710236c9053a4e095037743e2820
                                                              • Opcode Fuzzy Hash: c2bdbb71a169f4e520d203e2360d06ba64e4aa1061de17a3eae5dcd7d15dda08
                                                              • Instruction Fuzzy Hash: A361B26140C3C24ED70FEB788ABA515BF699F0B51430E59CBC486AF0B3C6906852DB62
                                                              Function 5000DD44 Relevance: .2, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17856c13f440767edaca21485f05e594aed117a5cc31d91d1af2c945aff2e4fd
                                                              • Instruction ID: fc2fbdf60231eda3e9f54df5367b81dbdc5236e6d36ac37d0f94969c01df4f67
                                                              • Opcode Fuzzy Hash: 17856c13f440767edaca21485f05e594aed117a5cc31d91d1af2c945aff2e4fd
                                                              • Instruction Fuzzy Hash: 7061717150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4A3C7A06452DB22
                                                              Function 5000F33C Relevance: .2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae38d7379d667604813d62f54510d6757cf06fc191d14e50eda634cb6261c16b
                                                              • Instruction ID: 3b1714c0f214290fdcc1544171f0b50ebb2905036d8826889aefe440a68571c1
                                                              • Opcode Fuzzy Hash: ae38d7379d667604813d62f54510d6757cf06fc191d14e50eda634cb6261c16b
                                                              • Instruction Fuzzy Hash: 8151926150C3C24ED70FEB7C8ABA515BF6A9F0B51430E59CBC486AF0B3C6906852DB62
                                                              Function 5000DD4C Relevance: .2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8deb47f63dde379fa7de41c7b70bf1cc06b33fed88e47f379e98bb826a1d52d2
                                                              • Instruction ID: ff3f88d1a839a01af4003f4ff53ae9a3359d8c0ba0defefcbcd96589254c57f3
                                                              • Opcode Fuzzy Hash: 8deb47f63dde379fa7de41c7b70bf1cc06b33fed88e47f379e98bb826a1d52d2
                                                              • Instruction Fuzzy Hash: E951627150C3C28ED70F9F78C9BA525BF78AF0B61170A55CBC8869F0A3C7A06452DB22
                                                              Function 5000F344 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d218ef8479d01262300723f02a4b969cfccb4f966644181109cbe240f4877aa
                                                              • Instruction ID: 2ee8ee56b82b87ca09e7b611d44cb468d49c353820081308cef1d51117aa14fa
                                                              • Opcode Fuzzy Hash: 5d218ef8479d01262300723f02a4b969cfccb4f966644181109cbe240f4877aa
                                                              • Instruction Fuzzy Hash: 9F51A26150C3C24ED70FDB7C8ABA515BF6A9F0B51430E59CBC486AF0B3C6906852DB62
                                                              Function 5000DD54 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d6f4db23a99ebb9fb5bd7b726282400e6ab20f2a14618a21198deb1ff7e0c0d
                                                              • Instruction ID: 77d245cdbb3c6f6ca295ce9b16a6342245fb21ed12ad07fbfa2039d992d9202d
                                                              • Opcode Fuzzy Hash: 2d6f4db23a99ebb9fb5bd7b726282400e6ab20f2a14618a21198deb1ff7e0c0d
                                                              • Instruction Fuzzy Hash: E451727150C3C28ED70F9F78C9BA525BF78AF0B61170A55CBC8869F0A3C7A06452DB22
                                                              Function 5000F34C Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 594eacb917325c0a67111abc6fac75872c93efada7259c6d59fa16447827acba
                                                              • Instruction ID: 131f7d62ca685f5bf70fd66b0107eafd36397112b903e343d1b7df111d8505ae
                                                              • Opcode Fuzzy Hash: 594eacb917325c0a67111abc6fac75872c93efada7259c6d59fa16447827acba
                                                              • Instruction Fuzzy Hash: 2C51A26150C3C24ED70FEB7C8ABE515BF699F0B51430E59CBC486AF0B3C6906852DB62
                                                              Function 5000F49C Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd8c34741d27fab28a38334d112197e3f64b1b9910687008662f413a2a07662c
                                                              • Instruction ID: 49097fe25a8029a325b95c3abdaa50c3a27e7ac3984ba84d9e0e32afc318137a
                                                              • Opcode Fuzzy Hash: dd8c34741d27fab28a38334d112197e3f64b1b9910687008662f413a2a07662c
                                                              • Instruction Fuzzy Hash: 5F510CA140D3C21EE70B9B38997A822BF6C9F0752434F55DFD585AF4B3E2905806DB36
                                                              Function 5000DD5C Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4e67d15f0f93371502787ce2e40e53a97ac1139e8b463444cde4ca0cd10da49
                                                              • Instruction ID: 6a4f3e152d5638185df0f2c675e96c32ff9283c1a4800b7d7e0e88f1c0c04a01
                                                              • Opcode Fuzzy Hash: c4e67d15f0f93371502787ce2e40e53a97ac1139e8b463444cde4ca0cd10da49
                                                              • Instruction Fuzzy Hash: 9651637150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                              Function 5000F354 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 444e2e46c03c111c8b5b7b9b1436efb45348750680c441f054351b790e72c199
                                                              • Instruction ID: 1a39f98c4b277a62a58001a1486e48685eba7ca0e6b60d37cc71b9959f123919
                                                              • Opcode Fuzzy Hash: 444e2e46c03c111c8b5b7b9b1436efb45348750680c441f054351b790e72c199
                                                              • Instruction Fuzzy Hash: 3751B16150C3C24ED70FEB7C8ABE516BF699F0B51430E59CBC486AF0B3C6906852DB62
                                                              Function 5000F4A4 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 95b9074462f33ee2e550fb9a0f640904352873844d749cffda61d995e1e51338
                                                              • Instruction ID: 2a79d48deaa7ec81e10b6ec5f432cd7894e9d626a6e7f2135ff07a98c045ee48
                                                              • Opcode Fuzzy Hash: 95b9074462f33ee2e550fb9a0f640904352873844d749cffda61d995e1e51338
                                                              • Instruction Fuzzy Hash: 945109A140D3C21EE70B9B3899BA822BF6C9F0751430F55DFD581AF4A3E2906802DB36
                                                              Function 5000DD64 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b124c6a9b1c57b54819c7c770fb4ca35235591a7e019dcbb2f82470e2742864
                                                              • Instruction ID: 0581c106fa42e1868e9754a7b10abff13866a307d9de73bd643a2a9ed7557443
                                                              • Opcode Fuzzy Hash: 9b124c6a9b1c57b54819c7c770fb4ca35235591a7e019dcbb2f82470e2742864
                                                              • Instruction Fuzzy Hash: 8151727150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                              Function 5000F35C Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ec6952b1c8d362edbfc59853a566b78f80d453e3d820caba6bfa41dd0dc40dd
                                                              • Instruction ID: e5da73fcb61190050d40f5206176f865f103a7b036ec4ea35ab30b468bc0164b
                                                              • Opcode Fuzzy Hash: 5ec6952b1c8d362edbfc59853a566b78f80d453e3d820caba6bfa41dd0dc40dd
                                                              • Instruction Fuzzy Hash: B751916150C3C24ED70FEB7C8ABA516BF699F0B51430E59CBC486AF0B3D6906852DB62
                                                              Function 5000F4AC Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 997f6a8b1c31084e978e9c9edad98b346e46867caf69e4a0246c1a2bc676da87
                                                              • Instruction ID: 6af6e47b4e0e9597a6b44621523a83c7e838da3081ac23249c618d58f33cc797
                                                              • Opcode Fuzzy Hash: 997f6a8b1c31084e978e9c9edad98b346e46867caf69e4a0246c1a2bc676da87
                                                              • Instruction Fuzzy Hash: 4051EAA140D3C21EE70F9B3899BA822BF6D9F0751434F55DFD581AF4A3E2906806DB36
                                                              Function 5000DD6C Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 397f1f10c7feea54dabd17891360ada1957e2ac22028a2a799180dc9aac16244
                                                              • Instruction ID: 7073048a54df3ef88ebeb105f09e80f1816b30cf66e5b4d9b17e7b96dfa1a89f
                                                              • Opcode Fuzzy Hash: 397f1f10c7feea54dabd17891360ada1957e2ac22028a2a799180dc9aac16244
                                                              • Instruction Fuzzy Hash: C651727150C3C28ED70F9F78D9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                              Function 5000F364 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 833ae9d7e6531816810fc2a89b2e242e94e02fc59ea8ffbf8cd700152c1fee4a
                                                              • Instruction ID: 88f187fbdc703e974012baa026c7b3fa35361f95fabed97789f67d2b5032bb8c
                                                              • Opcode Fuzzy Hash: 833ae9d7e6531816810fc2a89b2e242e94e02fc59ea8ffbf8cd700152c1fee4a
                                                              • Instruction Fuzzy Hash: FC51916150C3C24ED70FEB7C8ABA515BF6A9F0B51470E59CBC486AF0B3C6906852DB62
                                                              Function 5000F4B4 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57f21edb62718712aee7d1071af6def402ce50f11da8900321edfce4b56dac09
                                                              • Instruction ID: afaa273fc57fd6afe5434914896a687af30d32dfcec58b2d6d3593832a37b740
                                                              • Opcode Fuzzy Hash: 57f21edb62718712aee7d1071af6def402ce50f11da8900321edfce4b56dac09
                                                              • Instruction Fuzzy Hash: 5A51FAA140D3C21EE70F9B38997A822BF6D9F0751430F55DFD581AF4A3D2906802DB36
                                                              Function 5000DD74 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5376b338d19955ac32c28e09dbf12a1cc22f3bc628e0bdb0247ef968373e5f81
                                                              • Instruction ID: c776acd998f3057ae2de3f52301f43487575a316180590234fe192d8424e5b83
                                                              • Opcode Fuzzy Hash: 5376b338d19955ac32c28e09dbf12a1cc22f3bc628e0bdb0247ef968373e5f81
                                                              • Instruction Fuzzy Hash: A751717150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                              Function 5000F36C Relevance: .1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72da3c89bba837fae64193288d7af9ec31c36f09fa2dcfa6f7040a8a87af9a80
                                                              • Instruction ID: 949ca40fc904ef577c42317ee883eac1929ce925487f33f62a48b37f02c2d36a
                                                              • Opcode Fuzzy Hash: 72da3c89bba837fae64193288d7af9ec31c36f09fa2dcfa6f7040a8a87af9a80
                                                              • Instruction Fuzzy Hash: 1851906150C3C24ED70FEB7C8ABA515BF6A9F0B51430E59CBC486AF0B3C6906852DB62
                                                              Function 5000DD7C Relevance: .1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58f18d6dda43142867d03e558b17fda22e42db8f781fee5f7b1039751cb282ed
                                                              • Instruction ID: 9534a5883d6e8332f731fe51fcc6c6cf3c944b29ddcba81e2583c91b19798d98
                                                              • Opcode Fuzzy Hash: 58f18d6dda43142867d03e558b17fda22e42db8f781fee5f7b1039751cb282ed
                                                              • Instruction Fuzzy Hash: 2251627150C2C28ED70F9F78D9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                              Function 5000F4BC Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4907dea7111d48b683f1cdb9efa829f1e7c1b9be261c367e119b4c12755e09b1
                                                              • Instruction ID: 54050581bd3b98f1dbf78c168840164e80e3847e6d3e9ba60836d45e8d48e857
                                                              • Opcode Fuzzy Hash: 4907dea7111d48b683f1cdb9efa829f1e7c1b9be261c367e119b4c12755e09b1
                                                              • Instruction Fuzzy Hash: 4551E8A140D3C25EE70F9B389ABA822BF6D9F0751431E55DFD581AF4A3D2906802DB36
                                                              Function 5000F374 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3514b19deb558446eeacc01544bfa78a01602e12f7e11953e45139fb7fde20b
                                                              • Instruction ID: ba44e50a155758ace7f7d9b54cbc65622b36691f037abb4111e0a9c04a324ab3
                                                              • Opcode Fuzzy Hash: b3514b19deb558446eeacc01544bfa78a01602e12f7e11953e45139fb7fde20b
                                                              • Instruction Fuzzy Hash: EA51926150C3C24ED70FEB788ABA515BF6A9F0B51430E59CBC486AF0B3D6906852DB62
                                                              Function 5000DD84 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a610c2128363e097f4dbe9765dc982b95319c07143ae77dff544063c204603d
                                                              • Instruction ID: 922f654ae688b3d0b4e79d21dd3c5a71964cb668cef48cb394e1e22305266e5e
                                                              • Opcode Fuzzy Hash: 2a610c2128363e097f4dbe9765dc982b95319c07143ae77dff544063c204603d
                                                              • Instruction Fuzzy Hash: D651727150C3C28ED70F9F78D9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                              Function 5000F4C4 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a928e5b40174f5f1359d62bfa313e2170d212f4e504b00c8755de760f861b811
                                                              • Instruction ID: 5b73c197ac15e778d5cc62ff2e6404a4c310c904062367c9f92c703836b33bad
                                                              • Opcode Fuzzy Hash: a928e5b40174f5f1359d62bfa313e2170d212f4e504b00c8755de760f861b811
                                                              • Instruction Fuzzy Hash: 7E51FBA140D3C21EE70F9B389A7A822BF6D9F0751431E55DFD581AF4B3D2906802DB36
                                                              Function 5000F37C Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34addfdfd44d2b5a7ee3eb067485da2a0c1ac97cbb83e561f29096e57ed5b4eb
                                                              • Instruction ID: 96fe11994be0b75f9563daf82432513874e9be437c2a1f26291a1d4f2f607fca
                                                              • Opcode Fuzzy Hash: 34addfdfd44d2b5a7ee3eb067485da2a0c1ac97cbb83e561f29096e57ed5b4eb
                                                              • Instruction Fuzzy Hash: B251936150C3C24ED70FDB788ABE516BF699F0B51430E59CFC486AF0B3D6906852DB62
                                                              Function 5000DD8C Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79aaa6c0de2dc065a7b3b81e3823d87c4233978bbcbe77b1d553517de72bb336
                                                              • Instruction ID: 0186ce17429e513dd024f2116ea5009f4af07db10d1ecc6184b1adb19083cce7
                                                              • Opcode Fuzzy Hash: 79aaa6c0de2dc065a7b3b81e3823d87c4233978bbcbe77b1d553517de72bb336
                                                              • Instruction Fuzzy Hash: 8751837150C3C28ED70F9F78D9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                              Function 5000F4CC Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0433af7b600c67462db1beb39ad79faa7adac56697021000603bb5cf8c45bc76
                                                              • Instruction ID: 2e9cc7c118d5684bc58e0753e3159db40eca44ffbd4b232cc05152bb2269d7a2
                                                              • Opcode Fuzzy Hash: 0433af7b600c67462db1beb39ad79faa7adac56697021000603bb5cf8c45bc76
                                                              • Instruction Fuzzy Hash: 7A51FCA140C3C15EE70F9B389A7A822BF6D9F0B51431E55DFD581AF4B3D2906812DB36
                                                              Function 5000F384 Relevance: .1, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb2bf226f43f421fb2a42918cfea585ca1279c0e26961ebeefe3f18fd68a0469
                                                              • Instruction ID: b0cf766b044fdeb08461907f15d5c85ddbed29b5ecf835b6a41b37f46dab4d83
                                                              • Opcode Fuzzy Hash: eb2bf226f43f421fb2a42918cfea585ca1279c0e26961ebeefe3f18fd68a0469
                                                              • Instruction Fuzzy Hash: FC51A46150C3C24ED70FDB788ABE516BF699F0B51430E59CFC486AF0B3D6906852DB62
                                                              Function 5000DD94 Relevance: .1, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6dbf02b5eb8fb7eb52cc7bb35137d6e26b37df2db80cf6353b457e7effc8dd08
                                                              • Instruction ID: 5ad55dd7ce5ca3c7212f47d891035b313c114e872d8ff3384c55cc43ddf9bd78
                                                              • Opcode Fuzzy Hash: 6dbf02b5eb8fb7eb52cc7bb35137d6e26b37df2db80cf6353b457e7effc8dd08
                                                              • Instruction Fuzzy Hash: DB51937150C3C28ED70F9F78C9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                              Function 5000F4D4 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85a2d5a66bb4aa8700f994987f481b7c78fa599f6f9fb65f52af72537aa264ea
                                                              • Instruction ID: 62a3478aba6f4a637f269b856829e269853efbc2686c112e28406519e55a5c6e
                                                              • Opcode Fuzzy Hash: 85a2d5a66bb4aa8700f994987f481b7c78fa599f6f9fb65f52af72537aa264ea
                                                              • Instruction Fuzzy Hash: 3041F9A140C3C15EE70F9B389ABA822BF6D9F0B51431E55DFD581AF4B3D2906812DB26
                                                              Function 5000F38C Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 232f98d8c0e135eafc84de5d646b48cd7ea02f24ba742cf4345c6c2cdaad44f2
                                                              • Instruction ID: 3fc2cc2ff6e1a8461ab9fba211dac5ebc88479344d6b8d3670da24eca6de4668
                                                              • Opcode Fuzzy Hash: 232f98d8c0e135eafc84de5d646b48cd7ea02f24ba742cf4345c6c2cdaad44f2
                                                              • Instruction Fuzzy Hash: 8541B46150C3C24ED70FDB788ABA516BF699F0B51430E59CFC486AF0B3D6906852DB62
                                                              Function 5000DD9C Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a45190e09d9bf236810e4ff8266c93ef797d6677686cf211f3336a455a03fe95
                                                              • Instruction ID: 0ef01a6513dc70f9e567cdd524f21d4da15701458fb2f4443698a613dc1f395d
                                                              • Opcode Fuzzy Hash: a45190e09d9bf236810e4ff8266c93ef797d6677686cf211f3336a455a03fe95
                                                              • Instruction Fuzzy Hash: 3441947150C3C28ED70F9F78C9BA525BF799F0B61170A55DBC8869F0A3C7A06452DB22
                                                              Function 5000F4DC Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64e4de89f26db7d15624a623295065e809851b163e311952cc282a26242bef1b
                                                              • Instruction ID: 0cdebaf52018e39d301011330c67596e957d6c034db2cae8bb07529f92304067
                                                              • Opcode Fuzzy Hash: 64e4de89f26db7d15624a623295065e809851b163e311952cc282a26242bef1b
                                                              • Instruction Fuzzy Hash: 3341097140C3C15EE70F9B389ABA822BF6D9F0B51431E55DFD582AF0B3D2902812DB22
                                                              Function 5000F394 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0eaaa241b57f6bc6181771671b55686257299d2fc79d139517029d2c1eb92ffe
                                                              • Instruction ID: 799071888f44a204b264985ad53d5e038b3ad1f9471cc687eb681bc2de520f8c
                                                              • Opcode Fuzzy Hash: 0eaaa241b57f6bc6181771671b55686257299d2fc79d139517029d2c1eb92ffe
                                                              • Instruction Fuzzy Hash: AC41C46150C3C24ED70FDB788ABA512BF699F0B51430E59CFC486AF0B3D2906852DB62
                                                              Function 5000DDA4 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2739e082485819c3b4929c626a7cd21152edd68a8f7d43b954cb8737767b212
                                                              • Instruction ID: a52ec24117d3ab1e218e1352be94492858e3319532a51e37110d135d307abffc
                                                              • Opcode Fuzzy Hash: f2739e082485819c3b4929c626a7cd21152edd68a8f7d43b954cb8737767b212
                                                              • Instruction Fuzzy Hash: 4541A37150C3C28ED70F9F78C9BA525BF799F0B61170A59DBC8869F0A3C7A06452DB22
                                                              Function 5000F39C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b83d7f176e03407a54ccfd9feeecfa8ad5de2ef462d38d8f535d0ff4b593184f
                                                              • Instruction ID: b506451c5a525a21d55edf40b1feeb30a3f4208dd948754419113baf5e356db2
                                                              • Opcode Fuzzy Hash: b83d7f176e03407a54ccfd9feeecfa8ad5de2ef462d38d8f535d0ff4b593184f
                                                              • Instruction Fuzzy Hash: 1941B46150C3C24ED70FDB788ABA512BF695F0B51470E55DBC486AF0B3D2906852DB62
                                                              Function 5000DDAC Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd3460e2b8c3e69ef91e6cee421c7f808776796e869f078115faeded1848212f
                                                              • Instruction ID: ff6314490a249f9d610b48da2f6e9bbf228d8d2e7f03a33634c924506a6540db
                                                              • Opcode Fuzzy Hash: dd3460e2b8c3e69ef91e6cee421c7f808776796e869f078115faeded1848212f
                                                              • Instruction Fuzzy Hash: 7C41B47150C3C28ED70F9F78C97A526BF799F0B61170A55DBC8869F0A3C7A06452DB22
                                                              Function 5000F3A4 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f8fb8cd2d7c2b81a64f89de5bd964935982901503c70eefd73c47a3bcadb099
                                                              • Instruction ID: 3263b5f4857bf175e89eeb243d1c0a6d58a26a7efd25f3d794fe1456fdeb102a
                                                              • Opcode Fuzzy Hash: 2f8fb8cd2d7c2b81a64f89de5bd964935982901503c70eefd73c47a3bcadb099
                                                              • Instruction Fuzzy Hash: E641C26150C3C24ED70FDB788ABA512BF6A4F0B51470E59DFC4C6AF0B3D2906852DB62
                                                              Function 5000DDB4 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16eedda9ba77c2bc4e2384b23185aa3d1ec3959f62fcd8b9fe3d69b70e4bdbc6
                                                              • Instruction ID: f7e4599e4e7867a802b3eb4e05e0015a082f56fcae96caea9ca7a8766ee51d12
                                                              • Opcode Fuzzy Hash: 16eedda9ba77c2bc4e2384b23185aa3d1ec3959f62fcd8b9fe3d69b70e4bdbc6
                                                              • Instruction Fuzzy Hash: 4C41C47150C3C28ED70F9B78C97A526BF799F0B61170B55DBC8869F0A3C7A06452DB22
                                                              Function 5000F3AC Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a6d4b7d70e694d642e38b7f67a926c85b0efd4a218be56cfc94f72f4b9ae774
                                                              • Instruction ID: f50eb0c9d710099c9e36cda64ef9485ce88b719be1985f8746dd3ed3426dbbc4
                                                              • Opcode Fuzzy Hash: 1a6d4b7d70e694d642e38b7f67a926c85b0efd4a218be56cfc94f72f4b9ae774
                                                              • Instruction Fuzzy Hash: AE41C06150C3C25ED70FDB788ABA912BF6A4F0B51470E59CBC4C6AF0A3D2906852DB62
                                                              Function 5000DDBC Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3aee2a0816077d979255bbba36b0d20920930654fa2e91b6625b7af12c0a1e19
                                                              • Instruction ID: e7091c543f10435a6a23ffde79173a8d0a1473f273009963e1f406fac5c0330f
                                                              • Opcode Fuzzy Hash: 3aee2a0816077d979255bbba36b0d20920930654fa2e91b6625b7af12c0a1e19
                                                              • Instruction Fuzzy Hash: 9241C57150C3C28ED70F9B78C97A526BF799F0B61170B55CBC8869F0A3D7A06452DB22
                                                              Function 5000F3B4 Relevance: .1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ed0b2cdb4797004e15f86e26ad3265e17611babe09be66f6d5c4a0f4f2742be
                                                              • Instruction ID: 0870f6b0535de476316ad35050b2644094cf3084e92712b6cf48d64f33b877da
                                                              • Opcode Fuzzy Hash: 0ed0b2cdb4797004e15f86e26ad3265e17611babe09be66f6d5c4a0f4f2742be
                                                              • Instruction Fuzzy Hash: BE41D26150C3C25EC70FDB788ABA512BF6A4F0B51470E49CBC4C6AF0A3D2906842DB62
                                                              Function 5000F3BC Relevance: .1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c0ba2946be4e934cfb6af309a38e24d18ae1d811dd4e4f48ed2dfd9d253d0f6
                                                              • Instruction ID: 96df6c832e6b686c91687481a92e51f4eda9a38bea472512708f17115c3851cb
                                                              • Opcode Fuzzy Hash: 9c0ba2946be4e934cfb6af309a38e24d18ae1d811dd4e4f48ed2dfd9d253d0f6
                                                              • Instruction Fuzzy Hash: A241C26150C3C25EC70FDB788ABE552BF6A4F0B51470F49CBC8C6AF0A3D6905842DB62
                                                              Function 5000F3C4 Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 377dcbb99adbcb434e0cd40737976ad7345ac9f17d7508ae7485f1fb7afcd500
                                                              • Instruction ID: 547cd1405ad6ebc29e666c8d47af22b778838109ed2475185324bead7b444438
                                                              • Opcode Fuzzy Hash: 377dcbb99adbcb434e0cd40737976ad7345ac9f17d7508ae7485f1fb7afcd500
                                                              • Instruction Fuzzy Hash: 3131C26150C3C25EC70BDB788ABE652BF6A4F0B51470F49CBC8C6AF0A3D6905846D772
                                                              Function 5000F3CC Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a868bebe2a9508543c0f547311fc6fe15bcb5220372f02094522db7565f9ccd4
                                                              • Instruction ID: 4b3e27420bcdae3d7d9ee813c95c2590bf73f13399b7736b3773871ebb54f839
                                                              • Opcode Fuzzy Hash: a868bebe2a9508543c0f547311fc6fe15bcb5220372f02094522db7565f9ccd4
                                                              • Instruction Fuzzy Hash: 5C31D36150C3C25EC70BDB388ABE652BF6A4F0B52470F49CBC8C6AF0A3D6905842D732
                                                              Function 5000F3D4 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6de29b6288df6518dea009e3621f8dcbc0f1abe7c7e1f92af88a93e13ab87424
                                                              • Instruction ID: ab0a210c9060012819722a28ce0b1d7a21dc3a68c761b87af5fd388abcbb25ec
                                                              • Opcode Fuzzy Hash: 6de29b6288df6518dea009e3621f8dcbc0f1abe7c7e1f92af88a93e13ab87424
                                                              • Instruction Fuzzy Hash: 5331C36150D3C25EC70BCB388ABE642BF6A4F0752470F49CBD8C6AF1A3D6905846D732
                                                              Function 5000F3DC Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d27aeffe552962de140c2b558c15e2eac5bac2f676c0f96a29fd34bbbcd680a
                                                              • Instruction ID: 90050da6681d7e18b3c2b946a6091bd5d1a649a39c03ef36a4d538d43795e1c7
                                                              • Opcode Fuzzy Hash: 2d27aeffe552962de140c2b558c15e2eac5bac2f676c0f96a29fd34bbbcd680a
                                                              • Instruction Fuzzy Hash: A731D16150D3C25ECB0BCB388ABE642BF694F0752470F89CBD8C6AF1A3D6905846C732
                                                              Function 5000F3E4 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3693d5d7c4d8994bf25cef92e3c537f847a0c057638f888d6bb94e17e2cd1c3
                                                              • Instruction ID: ffb9574106903f95e981337fd20e03d09e5f5e3e9a9f0c8ff08fd706da1a4bf7
                                                              • Opcode Fuzzy Hash: a3693d5d7c4d8994bf25cef92e3c537f847a0c057638f888d6bb94e17e2cd1c3
                                                              • Instruction Fuzzy Hash: 1831D46150D3C25EC70BCB388ABE642BF294F0752470F89CBD8C5AF1A3D6905846C732
                                                              Function 5000F3EC Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cbb47529b74f020eec2d68254f2eea6ab3bb5b7bdb23b9c3fe4af16c7c4b114
                                                              • Instruction ID: 18a680fbb2978608615c1e7e1b7edbe9658ea2f488822ff28aa63c7b05246d15
                                                              • Opcode Fuzzy Hash: 0cbb47529b74f020eec2d68254f2eea6ab3bb5b7bdb23b9c3fe4af16c7c4b114
                                                              • Instruction Fuzzy Hash: 0121C46150D3C25ECB0BCB3899BE642BF294F0752470F89DBD8C9AF1A7D6905846C736
                                                              Function 5000F3F4 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 839aed5898a558115d2c6057863e52b519da3dc21e6c40edfdafe6494ac489cb
                                                              • Instruction ID: 9cded7cc9a65572818db5daf3902e06bd0151a2575880d752f444894920ffbe6
                                                              • Opcode Fuzzy Hash: 839aed5898a558115d2c6057863e52b519da3dc21e6c40edfdafe6494ac489cb
                                                              • Instruction Fuzzy Hash: DE21AF6150D3C25ECB0BCB3899BE642BF294F0752470F89DBD8CAAF1A7D6905846C736
                                                              Function 5000F3FC Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1239f6313ea3d64a245473703988f97a2c4f0ef001d7f042656abd80695b948
                                                              • Instruction ID: 8000e56101f26094c6cbb0de5451a529b1d18923c535a7a5f4b057e93c63fe8b
                                                              • Opcode Fuzzy Hash: b1239f6313ea3d64a245473703988f97a2c4f0ef001d7f042656abd80695b948
                                                              • Instruction Fuzzy Hash: 3F21925150D3C25ECB0B8B3899BE642BF294F0752470F85DBD8C9AF1A7D2905846C736
                                                              Function 5000F404 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 995feed87c7f7cb87c13af039b271845d89fd20696315da500a0efd5cdafb177
                                                              • Instruction ID: b250a9399b764dd11cdb7eb164a84c96e8c989ead45fa68440ab598c8299c688
                                                              • Opcode Fuzzy Hash: 995feed87c7f7cb87c13af039b271845d89fd20696315da500a0efd5cdafb177
                                                              • Instruction Fuzzy Hash: FE21725150D3C25ECB0B8B3899BE642BF294F0752470F85DBD8C9AF1A7D2905846C776
                                                              Function 5000F004 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b0553c6a9eeb345abdfe96f5863aed8e19392eb67da17bf46f6f1236ef3a5bd
                                                              • Instruction ID: 294ebc6e36bfa84b8af9c1f6b3332ed407d9d57d6fc452ce18b054f00ff591c7
                                                              • Opcode Fuzzy Hash: 0b0553c6a9eeb345abdfe96f5863aed8e19392eb67da17bf46f6f1236ef3a5bd
                                                              • Instruction Fuzzy Hash: 9921C07150D3C2AED70B9B78D8AA893BF785F0312030F84DBD8859F0A3D2946446DB36
                                                              Function 5000F00C Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77a8032ebb0997df202f49433e817c685d8f204a00bddfb233786512946dbd4e
                                                              • Instruction ID: 1d99299f3eb978e5b191b7cb0aa796539c87189ee4168db152b11ba3d5b4521d
                                                              • Opcode Fuzzy Hash: 77a8032ebb0997df202f49433e817c685d8f204a00bddfb233786512946dbd4e
                                                              • Instruction Fuzzy Hash: 8221727150D3C2AED70B9B7898AA893BF685F0712030F84DBD8859F0A7D2945846DB36
                                                              Function 5000F40C Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0956bbe9c2cb9ce1b1c5934d5df3ebd46e3dfadb2b11f84a33b106ed10cee5eb
                                                              • Instruction ID: 5f3e23254df2c9fa77e1c094f18f07388bc6d4b231e1283e537bed0854d79554
                                                              • Opcode Fuzzy Hash: 0956bbe9c2cb9ce1b1c5934d5df3ebd46e3dfadb2b11f84a33b106ed10cee5eb
                                                              • Instruction Fuzzy Hash: BF21629150D3D25ECB0B8B3899AD642BF290F0752470F89DBD8C9EF1A7E2905846C776
                                                              Function 5000B700 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                              • Instruction ID: 48e600bd759bbfa2265315c07dc42d3b28e21479b5ab4ae613322dfec101f601
                                                              • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                              • Instruction Fuzzy Hash: 31019632B057110B974CDD7ECD9962AB6D3ABC8910F49C73D958DC76C4DD718C1AC682
                                                              Function 5000F014 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4b6d3c4bfe2e57a8b7fed201a702f29ac867465c00b920c23a26741492a280d
                                                              • Instruction ID: d2b6273b6703b3d88bcc40d787116e7a0318eb56f86772c93eb29266fab1835a
                                                              • Opcode Fuzzy Hash: f4b6d3c4bfe2e57a8b7fed201a702f29ac867465c00b920c23a26741492a280d
                                                              • Instruction Fuzzy Hash: 6011747164D3C26ED70B9B7898BE993BF685F0312030F84DBD8859F0A7D2945446DB36
                                                              Function 5000F414 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdfee83b82c565a4e7ac9c4da2d0d7cecea1a54780142729f15290b8ecaf0d14
                                                              • Instruction ID: 7b16072ced5c5b054f7ef6ec151deeaa3e20a332d68b347ac5da73dca5b72b95
                                                              • Opcode Fuzzy Hash: cdfee83b82c565a4e7ac9c4da2d0d7cecea1a54780142729f15290b8ecaf0d14
                                                              • Instruction Fuzzy Hash: FA11509150D3D21ECB0B8A3899AD643BF290F0742470F89DFD8C9EF1A7E2809846C776
                                                              Function 5000F01C Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7795690fc472fc05c8e4f1721952c89e46b387116118b94d48d187edd653a6d
                                                              • Instruction ID: 1336c1c6c869dfbdec52380e2819109f2de454913a1383410b7eb0fe453b020a
                                                              • Opcode Fuzzy Hash: b7795690fc472fc05c8e4f1721952c89e46b387116118b94d48d187edd653a6d
                                                              • Instruction Fuzzy Hash: 5211956164D3C26ED70B9B789CAD993BF684F0312030F84DBD885DF0A7D2985446DB36
                                                              Function 5000F41C Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4edaa24f9e6d4c16ee4e0b2c1813815e4468ce42ab64fee7cd8e4e482934711
                                                              • Instruction ID: f98e8ed164f036f1284f8baf32266f993850e8caff11f796e30daec9a069eb1c
                                                              • Opcode Fuzzy Hash: a4edaa24f9e6d4c16ee4e0b2c1813815e4468ce42ab64fee7cd8e4e482934711
                                                              • Instruction Fuzzy Hash: E811569150D3D21ECB078A3899AD647BF290F0742470F85DFD8D9EF1A7E2848806C376
                                                              Function 5000F424 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cafd39a89990e2fcc8ae337e8ff87e563eae387e72d9a806b1b171c35838954
                                                              • Instruction ID: 5de9e79987f524e7ebc613a75a1141ab377e81f6d1272a04d60b365942957531
                                                              • Opcode Fuzzy Hash: 1cafd39a89990e2fcc8ae337e8ff87e563eae387e72d9a806b1b171c35838954
                                                              • Instruction Fuzzy Hash: 1211369150D3D11ECB078A3899AD647BF690F0742470F85DFD8D9EF1A7E6848806C376
                                                              Function 5000F42C Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7d949ca1dbc99cc0334ef8171838ff80204d0662f11b6f25e411533b7b90685
                                                              • Instruction ID: ea762f9894b33e92b483e9443b16279c4a031518ebdf0e822648794410dc10b6
                                                              • Opcode Fuzzy Hash: e7d949ca1dbc99cc0334ef8171838ff80204d0662f11b6f25e411533b7b90685
                                                              • Instruction Fuzzy Hash: A211179250D3D25EC7478A3898AD647BF690F1742470F85DFD8D9EF197E2848806C376
                                                              Function 5000F434 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 719214b484367dc3bd4cfb05001d0540d54cd922fd573b652aa102bb27eedb55
                                                              • Instruction ID: b7c2800c27e424f437c1ed58986b12da29b35406fa010acf6dfe6e2cd6457fd3
                                                              • Opcode Fuzzy Hash: 719214b484367dc3bd4cfb05001d0540d54cd922fd573b652aa102bb27eedb55
                                                              • Instruction Fuzzy Hash: 8D01129260D3D21EC7478A3898ADA47BE690F1742470F89DFDCD9EF197E2848806C376
                                                              Function 5000F43C Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1e47844cd93ca84784c79f7d341b9e053281c3b4133cae1a5c05864f54e258f
                                                              • Instruction ID: 7473588c50868cdd4cf269cefb6fabf10eaf1346cbac2aa0736d0132a9a779a0
                                                              • Opcode Fuzzy Hash: f1e47844cd93ca84784c79f7d341b9e053281c3b4133cae1a5c05864f54e258f
                                                              • Instruction Fuzzy Hash: AB01F29260D3D22ECB43863898AD9477E690E5742430F89DF9CD9EF157E6848806C376
                                                              Function 5000F444 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a73dba0381db9dbe2b330d1731483e2c560fe39a4457131bb36ff6936a4f83e
                                                              • Instruction ID: affd36c6c64f70e4dee5fbd6358e9c8d13ad5ec6fb3142a69267087980e65f6e
                                                              • Opcode Fuzzy Hash: 8a73dba0381db9dbe2b330d1731483e2c560fe39a4457131bb36ff6936a4f83e
                                                              • Instruction Fuzzy Hash: D901D49260D3D22ECB43C63C98AD9477E690E5743430F89DF98D9EF557E6848806C376
                                                              Function 5000F05C Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a32254a26ec7745de881303c7ac90fb81c22ee6ef5ce8fe5113023a79fea4d0
                                                              • Instruction ID: 919b428233cae173511029aa0f2b27a77bfc61ebef004b7e03d13958cfa4ce04
                                                              • Opcode Fuzzy Hash: 4a32254a26ec7745de881303c7ac90fb81c22ee6ef5ce8fe5113023a79fea4d0
                                                              • Instruction Fuzzy Hash: ACF045A160D3C26ED747AB7898AD993BF284F4312030F84DBD885DF0A7E2905406D736
                                                              Function 50035C20 Relevance: 103.9, APIs: 69, Instructions: 368COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bf8a6de5c9f8c9d7e517e51bd62a19dfb8c78758219dd0e824031e703cacb4c
                                                              • Instruction ID: 291804c5f43cdfc78084270f64e0253c3007c7fa4c2f6c3958579e3ed68424f8
                                                              • Opcode Fuzzy Hash: 3bf8a6de5c9f8c9d7e517e51bd62a19dfb8c78758219dd0e824031e703cacb4c
                                                              • Instruction Fuzzy Hash: 51D12A346012948FDF02EBA4E8928DDB7B1AF95200FA48753F9049B35AC774EE46DBD1
                                                              Function 50034CA0 Relevance: 102.4, APIs: 68, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74db559cb30daf2934ee409c68907b95b0d062c0d1b08305e77d9b3fc273fbf4
                                                              • Instruction ID: e41317646b9cb6a22585a59808d0b658e49fa76341f2179ceac9ae4dee40bb3b
                                                              • Opcode Fuzzy Hash: 74db559cb30daf2934ee409c68907b95b0d062c0d1b08305e77d9b3fc273fbf4
                                                              • Instruction Fuzzy Hash: CAE17B306051948FDF41EBD4D891BEDB7A6AF99212F508323F904DB2A6CB75AC028BD1
                                                              Function 50035548 Relevance: 102.4, APIs: 68, Instructions: 363COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4dff6d1aff6dbcb5c55c52f9778a04b01edc7b7968e91cb192ddaf45763efcb2
                                                              • Instruction ID: 5246c103563c2e39cd0757797e0bd30880b93580db4b712d1ebc8a1cb4ddd487
                                                              • Opcode Fuzzy Hash: 4dff6d1aff6dbcb5c55c52f9778a04b01edc7b7968e91cb192ddaf45763efcb2
                                                              • Instruction Fuzzy Hash: BAD1A0346055898FCF02EBA4E8D18DDB7B1AF54202F68C752F9049B26AC734DE42DBD2
                                                              Function 50029078 Relevance: 77.2, APIs: 38, Strings: 6, Instructions: 212threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsValidLocale.KERNEL32(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002909F
                                                              • GetThreadLocale.KERNEL32(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290AC
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290C9
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290D4
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290E9
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290F3
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002910A
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029114
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029127
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002913B
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029154
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002915E
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029171
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002918A
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291A0
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291B5
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291CB
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291DB
                                                                • Part of subcall function 50025BC4: GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,50028D40,00000000,50028F6A,?,?,00000000,00000000), ref: 50025BD7
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291F4
                                                                • Part of subcall function 50025B78: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                                • Part of subcall function 50025B78: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291FF
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029214
                                                                • Part of subcall function 50025B78: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,00000100), ref: 50025BB5
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002921F
                                                                • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029229
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029233
                                                                • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029248
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029252
                                                                • Part of subcall function 5001B4C8: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120(?,00000001,50025F1B,00000000,50025F3D,?,?,?,00000000), ref: 5001B4CE
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029263
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029272
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029287
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029291
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292AA
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292B4
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292C5
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292D4
                                                              • @System@@UStrCatN$qqrv.RTL120(?,:mm,?,?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292EF
                                                              • @System@@UStrCatN$qqrv.RTL120(?,:mm:ss,?,?,?,:mm,?,?,?,00000001,00000000,5002933E), ref: 5002930A
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(?,:mm:ss,?,?,?,:mm,?,?,?,00000001,00000000,5002933E), ref: 5002931A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$String$Sysutils@$Locale$System@@$Asg$qqrr20Stringx20$Str$qqriix20$Def$qqrx20Stringi$Char$qqriib$FreeInfoMem$qqrpvN$qqrv$CharFromLen$qqrr20Long$qqrx20Move$qqrpxvpviString$qqriStringpbiStringriThreadValid
                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                              • API String ID: 1591733115-2493093252
                                                              • Opcode ID: d39b3aeaf06a43d5e51a57cb72a8f0b0344bee30f2a786df34325c6a8d5a2eb3
                                                              • Instruction ID: c56b8177db0a57ba453c3af60c07cd0ceb7fdab362b64694d1a226fae421d36e
                                                              • Opcode Fuzzy Hash: d39b3aeaf06a43d5e51a57cb72a8f0b0344bee30f2a786df34325c6a8d5a2eb3
                                                              • Instruction Fuzzy Hash: 047158317022CA9BDF01DBE4F891ADEB3BADF98300F908637B105AB656D635DD058794
                                                              Function 50028C8C Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 203threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetThreadLocale.KERNEL32(00000000,50028F6A,?,?,00000000,00000000), ref: 50028CC2
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028CD6
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028CE3
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028CF8
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D02
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028D1C
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D26
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D3B
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D51
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028D6C
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D76
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D8B
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028DA6
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028DBE
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028DD3
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028DEB
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028DFB
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028E16
                                                                • Part of subcall function 50025B78: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                                • Part of subcall function 50025B78: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E23
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028E38
                                                                • Part of subcall function 50025B78: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,00000100), ref: 50025BB5
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E45
                                                                • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E4F
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E59
                                                                • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028E6E
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E78
                                                                • Part of subcall function 5001B4C8: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120(?,00000001,50025F1B,00000000,50025F3D,?,?,?,00000000), ref: 5001B4CE
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E89
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E98
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028EAD
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EB7
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028ED0
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EDA
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EEB
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EFA
                                                              • @System@@UStrCatN$qqrv.RTL120(?,:mm,?,?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028F17
                                                              • @System@@UStrCatN$qqrv.RTL120(?,:mm:ss,?,?,?,:mm,?,?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028F34
                                                              • @Sysutils@GetLocaleChar$qqriib.RTL120(?,:mm:ss,?,?,?,:mm,?,?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028F44
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$String$Sysutils@$System@@$Locale$Asg$qqrr20Stringx20$Str$qqriix20$Def$qqrx20Stringi$Char$qqriib$FreeMem$qqrpvN$qqrv$CharFromInfoLen$qqrr20Long$qqrx20Move$qqrpxvpviString$qqriStringpbiStringriThread
                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                              • API String ID: 2238068362-2493093252
                                                              • Opcode ID: 578a5909f94e02bd4f20fe4711f945c39aa07445c328b27e69a5ead81c01f26d
                                                              • Instruction ID: a8aad9425a59888f8c7a4424cecd7dbef86d1a9361a3f9030e8a3f94b0420b5d
                                                              • Opcode Fuzzy Hash: 578a5909f94e02bd4f20fe4711f945c39aa07445c328b27e69a5ead81c01f26d
                                                              • Instruction Fuzzy Hash: 0E7170346031CA9BEF41EBE4FC916DE737A9F98300F908636F100AB256DB39D94587A4
                                                              Function 50026004 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 177threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026036
                                                              • GetThreadLocale.KERNEL32(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002603F
                                                              • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002604E
                                                                • Part of subcall function 50025B78: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                                • Part of subcall function 50025B78: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                              • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002605B
                                                                • Part of subcall function 5001B4C8: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120(?,00000001,50025F1B,00000000,50025F3D,?,?,?,00000000), ref: 5001B4CE
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260A5
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260AF
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260B8
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260BD
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260D0
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260F2
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @Sysutils@CharLength$qqrx20System@UnicodeStringi.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026110
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002612B
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026135
                                                              • @Sysutils@StrLIComp$qqrpxbt1ui.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026153
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026163
                                                              • @Sysutils@StrLIComp$qqrpxbt1ui.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002617F
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002618F
                                                                • Part of subcall function 5000A164: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                • Part of subcall function 5000A164: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                • Part of subcall function 5000A164: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                                • Part of subcall function 5000A164: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                              • @Sysutils@StrLIComp$qqrpxbt1ui.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500261AA
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500261BA
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026202
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026207
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@$System@@$String$Stringx20$Sysutils@$Cat$qqrr20$From$Asg$qqrr20Comp$qqrpxbt1uiLocaleStringi$AnsiCharEnsureLen$qqrx20Str$qqrr20String$qqrr20Stringx27System@%T$us$i0$%$Char$qqrr20Clr$qqrpvCopy$qqrx20Def$qqrx20InfoInternalLen$qqrr20Length$qqrr20Length$qqrx20Long$qqrx20Move$qqrpxvpviStr$qqriix20StringbStringiiStringpbiStringriThread
                                                              • String ID: eeee$ggg$yyyy
                                                              • API String ID: 1621705807-1253427255
                                                              • Opcode ID: 1884aa2f990ab26dba5cc17f667b94dca3a286d4ccce1ce422f9c0f14f277c91
                                                              • Instruction ID: 4996f8794606f03fae622fcb1ff33eb4fce06e18e571e892f00786f695fe8f9d
                                                              • Opcode Fuzzy Hash: 1884aa2f990ab26dba5cc17f667b94dca3a286d4ccce1ce422f9c0f14f277c91
                                                              • Instruction Fuzzy Hash: 6A51C234A021CBCBDB10DBE8E9925EEB3A5EF91300F644363A500D7362DB74EE159791
                                                              Function 5002E9E8 Relevance: 49.1, APIs: 25, Strings: 3, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@FreeAndNil$qqrpv.RTL120(00000000,5002EB85), ref: 5002EA0A
                                                                • Part of subcall function 5002B124: @System@TObject@Free$qqrv.RTL120(5002EA0F,00000000,5002EB85), ref: 5002B12C
                                                              • @Sysutils@TEncoding@FreeEncodings$qqrv.RTL120(00000000,5002EB85), ref: 5002EA14
                                                                • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D299
                                                                • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2AB
                                                                • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2BD
                                                                • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2CF
                                                                • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2E1
                                                                • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2F3
                                                              • @System@RemoveModuleUnloadProc$qqrpqqrui$v.RTL120(00000000,5002EB85), ref: 5002EA1E
                                                                • Part of subcall function 5000C94C: @System@@FreeMem$qqrpv.RTL120(?,?,?,?,5000C929), ref: 5000C976
                                                                • Part of subcall function 5002B720: @System@@Dispose$qqrpvt1.RTL120(?,5002EA28,00000000,5002EB85), ref: 5002B73C
                                                                • Part of subcall function 500274D8: InterlockedExchange.KERNEL32(500A6DBC,00000000), ref: 500274E1
                                                                • Part of subcall function 500274D8: InterlockedExchange.KERNEL32(500A6DC0,00000000), ref: 500274F3
                                                                • Part of subcall function 50027254: @System@TObject@Free$qqrv.RTL120(?,?,5002EA37,00000000,5002EB85), ref: 5002728E
                                                                • Part of subcall function 50027254: @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D0
                                                                • Part of subcall function 50027254: @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D9
                                                                • Part of subcall function 50027254: @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(5002EA37,00000000,5002EB85), ref: 500272E4
                                                                • Part of subcall function 50027254: @System@ExceptAddr$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272ED
                                                                • Part of subcall function 50027254: @System@ExceptObject$qqrv.RTL120(00000000,5002EA37,00000000,5002EB85), ref: 500272F3
                                                              • @System@@WStrClr$qqrpv.RTL120(00000000,5002EB85), ref: 5002EA46
                                                                • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000,5002EB85), ref: 5002EA50
                                                                • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EAB5
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EACA
                                                                • Part of subcall function 5000AF28: @System@@LStrClr$qqrpv.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AF7A
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EADF
                                                                • Part of subcall function 5000AF28: @System@@LStrArrayClr$qqrpvi.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AF86
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EAF4
                                                                • Part of subcall function 5000AF28: @System@@WStrClr$qqrpv.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AF97
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB09
                                                                • Part of subcall function 5000AF28: @System@@WStrArrayClr$qqrpvi.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AFA3
                                                              • @System@@DynArrayClear$qqrrpvpv.RTL120(00000000,5002EB85), ref: 5002EB19
                                                                • Part of subcall function 5000C214: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C23F
                                                                • Part of subcall function 5000C214: @System@@FreeMem$qqrpv.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C247
                                                              • @System@@DynArrayClear$qqrrpvpv.RTL120(00000000,5002EB85), ref: 5002EB29
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB48
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB5D
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB72
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$Array$qqrpvt1uiFinalize$Free$qqrvObject@$Free$ArrayClr$qqrpvExcept$Mem$qqrpvObject$qqrv$Clear$qqrrpvpvClr$qqrpviExchangeInterlockedSysutils@$Addr$qqrvClassClass$qqrp14Dispose$qqrpvt1Encoding@Encodings$qqrvMetaModuleNil$qqrpvObjectp17Proc$qqrpqqrui$vRemoveStringUnload
                                                              • String ID: ,lP$XlP$kP
                                                              • API String ID: 2770033941-639665064
                                                              • Opcode ID: f23baf51e28d9a27ceff879c9aaca5bdc4a02411ffc7946e290e9f0f5d05e065
                                                              • Instruction ID: 458439708314837829a00875a32db1e9822d01f5b0deb47506a78c5581f45b3e
                                                              • Opcode Fuzzy Hash: f23baf51e28d9a27ceff879c9aaca5bdc4a02411ffc7946e290e9f0f5d05e065
                                                              • Instruction Fuzzy Hash: 3431F0203570C147F714ABE8F82266A3221DFA1751FD08B27F1009B792CA29DD4297E2
                                                              Function 50030A88 Relevance: 48.2, APIs: 32, Instructions: 152windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B29
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B38
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B3D
                                                              • @Variants@VarInvalidOp$qqrv.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B47
                                                              • @Sysutils@SysErrorMessage$qqrui.RTL120(?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030C6F
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000002,?,?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030C8C
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000002,?,?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030C9B
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000002,?,?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030CA0
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSysutils@$Except$qqrvException@$bctr$qqrx20LoadRaiseString$qqrp20System@@Unicode$ErrorInvalidMessage$qqruiOp$qqrvRecxiStringpx14Variants@
                                                              • String ID:
                                                              • API String ID: 770543886-0
                                                              • Opcode ID: a1282365be09462d89120203df3854cda1f43aef0eed8fd7da0b363bcbf0933f
                                                              • Instruction ID: f96400911d13d964e0fb64cf20edc1743dca0574da95ff12fd542a95d4d1681a
                                                              • Opcode Fuzzy Hash: a1282365be09462d89120203df3854cda1f43aef0eed8fd7da0b363bcbf0933f
                                                              • Instruction Fuzzy Hash: B15183345035C9CFEF21DBE4EDA29EEB3B1AF24204F504326F90097666CB75AD059BA1
                                                              Function 5002A000 Relevance: 44.1, APIs: 23, Strings: 2, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 50029E40: FindResourceW.KERNEL32(?,PACKAGEINFO,0000000A), ref: 50029E56
                                                                • Part of subcall function 50029E40: LoadResource.KERNEL32(?,00000000,?,PACKAGEINFO,0000000A), ref: 50029E61
                                                                • Part of subcall function 50029E40: LockResource.KERNEL32(00000000,00000000,50029EA0,?,?,00000000,?,PACKAGEINFO,0000000A), ref: 50029E81
                                                                • Part of subcall function 50029E40: FreeResource.KERNEL32(00000000,50029EA7,?,?,00000000,?,PACKAGEINFO,0000000A), ref: 50029E9A
                                                              • @Sysutils@GetModuleName$qqrui.RTL120(00000000,5002A3C8), ref: 5002A0CB
                                                              • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5002A3C8), ref: 5002A0D6
                                                              • @Sysutils@ChangeFileExt$qqrx20System@UnicodeStringt1.RTL120(00000000,5002A3C8), ref: 5002A0E3
                                                              • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5002A3C8), ref: 5002A0F3
                                                              • @System@UTF8ToString$qqrpxcxi.RTL120(00000000,00000000,5002A3C8), ref: 5002A121
                                                              • @Sysutils@ChangeFileExt$qqrx20System@UnicodeStringt1.RTL120(00000000,00000000,5002A3C8), ref: 5002A131
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,5002A3C8), ref: 5002A139
                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,5002A3C8), ref: 5002A13F
                                                              • @Sysutils@StrLen$qqrpxc.RTL120(00000000,00000000,5002A3C8), ref: 5002A14D
                                                              • @System@@New$qqripv.RTL120(00000000,5002A3C8), ref: 5002A17A
                                                              • @System@@DynArraySetLength$qqrv.RTL120(?,00000000,5002A3C8), ref: 5002A1B6
                                                              • @Sysutils@HashName$qqrpc.RTL120 ref: 5002A1C6
                                                              • @Sysutils@HashName$qqrpc.RTL120 ref: 5002A1E1
                                                                • Part of subcall function 50029CF0: @System@@PCharLen$qqrpc.RTL120(?,?,00000000,?,5002A1CB), ref: 50029C6A
                                                                • Part of subcall function 50029CF0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C7E
                                                                • Part of subcall function 50029CF0: @System@@GetMem$qqri.RTL120(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C91
                                                                • Part of subcall function 50029CF0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 50029CA7
                                                                • Part of subcall function 50029CF0: CharUpperBuffW.USER32(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CAE
                                                                • Part of subcall function 50029CF0: @System@@FreeMem$qqrpv.RTL120(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CDD
                                                              • @Sysutils@StrIComp$qqrpxct1.RTL120 ref: 5002A201
                                                              • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,500A7DBC,00000000), ref: 5002A27E
                                                              • @System@UTF8ToString$qqrpxcxi.RTL120(00000000,00000000,500A7DBC,00000000), ref: 5002A29B
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000002,?,00000000,00000000,500A7DBC,00000000), ref: 5002A2C7
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000002,?,00000000,00000000,500A7DBC,00000000), ref: 5002A2CC
                                                              • @Sysutils@StrLen$qqrpxc.RTL120 ref: 5002A37E
                                                              • @System@@LStrClr$qqrpv.RTL120(5002A3CF), ref: 5002A3BA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Sysutils@$Unicode$String$CharResource$File$AnsiByteChangeExt$qqrx20FreeFromHashLen$qqrpxcModuleMultiName$qqrpcString$qqrpxcxiStringt1System@%Wide$ArrayBuffChar$qqrx20Clr$qqrpvComp$qqrpxct1Except$qqrvException@$bctr$qqrp20ExtractFindHandleLen$qqrpcLength$qqrvLoadLockMem$qqriMem$qqrpvName$qqruiName$qqrx20New$qqripvRaiseRecpx14RecxiStr$qqrr20Str$qqrr27StringusStringx27T$us$i0$%T$us$i0$%x20Upper
                                                              • String ID: .bpl$SysInit
                                                              • API String ID: 832494849-1949293470
                                                              • Opcode ID: 80d2e90f927725b8c34378fd1ad348739718c56a093d0ac4d107abcea30af493
                                                              • Instruction ID: 837392768b698e741bc70171f0b158cd4f4db25f9bd6245715707dd2a9ab8d4f
                                                              • Opcode Fuzzy Hash: 80d2e90f927725b8c34378fd1ad348739718c56a093d0ac4d107abcea30af493
                                                              • Instruction Fuzzy Hash: 88D13C74E0129A9FDB10CF98D880ADEB7F5FF59304F10866AE554AB351DB30AE45CB90
                                                              Function 500248EC Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 263timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 500246E0: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024767), ref: 50024741
                                                                • Part of subcall function 500246E0: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024767), ref: 50024746
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50024C6D), ref: 50024968
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50024C6D), ref: 5002498C
                                                              • @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50024C6D), ref: 50024997
                                                              • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,50024C6D), ref: 500249B4
                                                              • @Sysutils@CurrentYear$qqrv.RTL120(?,?,?,00000000,50024C6D), ref: 50024AC1
                                                              • @Sysutils@CurrentYear$qqrv.RTL120(?,?,00000000,50024C6D), ref: 50024AFA
                                                                • Part of subcall function 50022830: GetLocalTime.KERNEL32 ref: 50022834
                                                              • @System@Pos$qqrx20System@UnicodeStringt1.RTL120(?,?,00000000,50024C6D), ref: 50024B5C
                                                              • @Sysutils@TryEncodeDate$qqrusususr16System@TDateTime.RTL120(?,?,?,00000000,50024C6D), ref: 50024C3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@Sysutils@$Ansi$CurrentFromPos$qqrx20Str$qqrr20Stringt1Stringx27System@%T$us$i0$%TimeYear$qqrv$Copy$qqrx20DateDate$qqrusususr16EncodeEnsureInternalLen$qqrx20LocalString$qqrr20StringiiTrim$qqrx20
                                                              • String ID: ddd
                                                              • API String ID: 267030927-4224823564
                                                              • Opcode ID: 92fb4fcf5a5ca246f8cc9000afe12874db32018b39c2798d273ab4d6d16fe3e0
                                                              • Instruction ID: 1069cb2eb66a71ff8ce87d181cf04f1ba4992945fcbd8b3ac5469d60a7480345
                                                              • Opcode Fuzzy Hash: 92fb4fcf5a5ca246f8cc9000afe12874db32018b39c2798d273ab4d6d16fe3e0
                                                              • Instruction Fuzzy Hash: 52A19034E0219A8ADB40DFE9E8506FEB7F4AF19300F50426AEC44E7251D774DE85CBA6
                                                              Function 5001CC54 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 249shareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CFA9), ref: 5001CC90
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000001,?,00000400,00000000,5001CFA9), ref: 5001CCBE
                                                              • WNetGetUniversalNameW.MPR(00000000,00000001,?,00000400,00000000,5001CFA9), ref: 5001CCC4
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000001,?,00000400,00000000,5001CFA9), ref: 5001CCDC
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CCFE
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CD48
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CD7C
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CDA9
                                                              • WNetOpenEnumW.MPR(00000001,00000001,00000000,00000000,?), ref: 5001CDCA
                                                              • @System@@GetMem$qqri.RTL120(00000000,5001CF7C,?,00000000,5001CFA9), ref: 5001CDEF
                                                              • WNetEnumResourceW.MPR(?,FFFFFFFF,?,?), ref: 5001CE22
                                                              • @System@@ReallocMem$qqrrpvi.RTL120(?,FFFFFFFF,?,?), ref: 5001CE3F
                                                              • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001CF5E,?,00000000,5001CF7C,?,00000000,5001CFA9), ref: 5001CE4C
                                                              • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001CF7C,?,00000000,5001CFA9), ref: 5001CE51
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5001CECF
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?), ref: 5001CF03
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,?), ref: 5001CF18
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?), ref: 5001CF27
                                                              • @System@@TryFinallyExit$qqrv.RTL120(?), ref: 5001CF2C
                                                              • @System@@TryFinallyExit$qqrv.RTL120 ref: 5001CF31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@Unicode$FromString$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Exit$qqrvFinally$Char$qqrr20EnumStringpbStringx20$Asg$qqrr20Cat3$qqrr20Char$qqrx20Copy$qqrx20Mem$qqriMem$qqrrpviNameOpenReallocResourceStringiiStringt2Universal
                                                              • String ID: Z
                                                              • API String ID: 1098235404-1505515367
                                                              • Opcode ID: ce88e6d188f896e37c4bd4105249160936e441a3b514efbdf87da04b86b1681a
                                                              • Instruction ID: 71e5e890997e1f0220871d1c903543e3dfefbe9867c7c1a26dfae42662089f1d
                                                              • Opcode Fuzzy Hash: ce88e6d188f896e37c4bd4105249160936e441a3b514efbdf87da04b86b1681a
                                                              • Instruction Fuzzy Hash: 4BA15970A00289DBDB11DFA8DD41AEEB7F5FF09310F5042AAEA00A7251D774DE81DB95
                                                              Function 5002F51C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 5002F525
                                                                • Part of subcall function 5002F4F0: GetProcAddress.KERNEL32(00000000), ref: 5002F509
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                              • API String ID: 1646373207-1918263038
                                                              • Opcode ID: e06b940d9476934792f39afd65196c440aa36b4342473c26250aa0f9965bd5d2
                                                              • Instruction ID: 68bf6f208d1ebe513e8a8dda1fcfe738442d494e70350c7787d103a1d8736fcd
                                                              • Opcode Fuzzy Hash: e06b940d9476934792f39afd65196c440aa36b4342473c26250aa0f9965bd5d2
                                                              • Instruction Fuzzy Hash: 37413B6558B6C74A23146BADF90343777D89AA4E94360833BF808CA282DFB87C408769
                                                              Function 50024D00 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 255timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 500246E0: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024767), ref: 50024741
                                                                • Part of subcall function 500246E0: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024767), ref: 50024746
                                                              • @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50025040), ref: 50024D8B
                                                                • Part of subcall function 5001A684: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A736), ref: 5001A6C0
                                                                • Part of subcall function 5001A684: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6DF
                                                                • Part of subcall function 5001A684: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6F5
                                                                • Part of subcall function 5002483C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002485E
                                                                • Part of subcall function 5002483C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 50024866
                                                                • Part of subcall function 5002483C: @Sysutils@AnsiStrPos$qqrpbt1.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002486C
                                                              • @Sysutils@CurrentYear$qqrv.RTL120(?,?,?,00000000,50025040), ref: 50024EAC
                                                                • Part of subcall function 50022830: GetLocalTime.KERNEL32 ref: 50022834
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50025040), ref: 50024D80
                                                                • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                              • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,50025040), ref: 50024DA5
                                                              • @System@Pos$qqrx20System@UnicodeStringt1.RTL120(?,?,00000000,50025040), ref: 50024F43
                                                              • @Sysutils@TryEncodeDate$qqrusususr16System@TDateTime.RTL120(?,?,?,00000000,50025040), ref: 50025010
                                                                • Part of subcall function 50024778: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F4
                                                                • Part of subcall function 50024778: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@$System@@$String$Sysutils@$Ansi$EnsureFromString$qqrr20$Char$qqrx20InternalLen$qqrx20Pos$qqrx20Str$qqrr20Stringt1Stringx27System@%T$us$i0$%Time$Asg$qqrr20CharCopy$qqrx20CurrentDateDate$qqrusususr16EncodeLen$qqrr20LocalPos$qqrpbt1StringiiStringpbiStringx20Trim$qqrx20Year$qqrv
                                                              • String ID: ddd
                                                              • API String ID: 1381184704-4224823564
                                                              • Opcode ID: e386033784eb847864489c39f08a3879fa3b97122ed4c4e9c4fae4110e8f86f9
                                                              • Instruction ID: 7e45ed9e95105cac947c5d20d2be00b22e649cf3ab46312cbd668170dbcc43f1
                                                              • Opcode Fuzzy Hash: e386033784eb847864489c39f08a3879fa3b97122ed4c4e9c4fae4110e8f86f9
                                                              • Instruction Fuzzy Hash: 75A1BE70A0229A8BDF40DFE5E8806FEB7F1BF19300F50426AE844E7251D7349E45CBA6
                                                              Function 5001CA14 Relevance: 34.6, APIs: 23, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InitializeRecord$qqrpvt1.RTL120 ref: 5001CA61
                                                                • Part of subcall function 5000AE00: @System@@InitializeArray$qqrpvt1ui.RTL120 ref: 5000AE24
                                                              • @Sysutils@ExpandFileName$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CA78
                                                                • Part of subcall function 5001C9D8: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000104,?), ref: 5001C9F1
                                                                • Part of subcall function 5001C9D8: GetFullPathNameW.KERNEL32(00000000,00000104,?), ref: 5001C9F7
                                                                • Part of subcall function 5001C9D8: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000104,?), ref: 5001CA04
                                                              • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CA82
                                                                • Part of subcall function 5001C610: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C61E
                                                                • Part of subcall function 5001C610: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C62F
                                                              • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CA8C
                                                                • Part of subcall function 5001C8E4: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C8F2
                                                                • Part of subcall function 5001C8E4: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C904
                                                              • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CAA3
                                                                • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C749
                                                                • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C774
                                                                • Part of subcall function 5001C70C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C79A
                                                              • @Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CAB4
                                                                • Part of subcall function 500286A0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286AB
                                                                • Part of subcall function 500286A0: @Sysutils@IsPathDelimiter$qqrx20System@UnicodeStringi.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286C5
                                                                • Part of subcall function 500286A0: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286D5
                                                              • @Sysutils@SameFileName$qqrx20System@UnicodeStringt1.RTL120(00000000,5001CC45), ref: 5001CAC2
                                                                • Part of subcall function 5002889C: @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288BC
                                                                • Part of subcall function 5002889C: @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(?,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288CA
                                                                • Part of subcall function 5002889C: @Sysutils@CompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288D3
                                                              • @Sysutils@ExcludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CAFC
                                                                • Part of subcall function 50028704: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5002870F
                                                                • Part of subcall function 50028704: @Sysutils@IsPathDelimiter$qqrx20System@UnicodeStringi.RTL120(?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 50028729
                                                                • Part of subcall function 50028704: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 50028748
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB0A
                                                              • @Sysutils@ExpandFileNameCase$qqrx20System@UnicodeStringr27Sysutils@TFilenameCaseMatch.RTL120(00000000,5001CC45), ref: 5001CB1E
                                                                • Part of subcall function 5001CA14: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB2C
                                                                • Part of subcall function 5001CA14: @Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB49
                                                                • Part of subcall function 5001CA14: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB57
                                                              • @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(00000000,5001CC45), ref: 5001CAEA
                                                                • Part of subcall function 5001C140: FindClose.KERNEL32(?,?,5001C10A,00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C14C
                                                              • @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec.RTL120(00000000,5001CC45), ref: 5001CADD
                                                                • Part of subcall function 5001C0CC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E1
                                                                • Part of subcall function 5001C0CC: FindFirstFileW.KERNEL32(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E7
                                                                • Part of subcall function 5001C0CC: @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C105
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CB76
                                                              • @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CB8C
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CBB8
                                                              • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CBBD
                                                              • @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(5001CBE4,00000000,5001CC45), ref: 5001CBD7
                                                              • @System@@FinalizeRecord$qqrpvt1.RTL120(5001CC4C), ref: 5001CC32
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$Sysutils@$System@@$String$Stringx20$Delimiter$qqrx20FileFind$Path$Asg$qqrr20Search$AnsiStringt1$Case$qqrx20Close$qqrr19Copy$qqrx20ExtractFromName$qqrx20StringiStringiiTrailing$Cat3$qqrr20Char$qqrx20ExpandFirst$qqrx20IncludeInitializeInternalLastLowerNameRecord$qqrpvt1Str$qqrr20Stringir19Stringt2Stringx27System@%T$us$i0$%$Array$qqrpvt1uiCaseCat$qqrr20CharCloseCompareDrive$qqrx20ExcludeExit$qqrvFilenameFinalizeFinallyFirstFullLen$qqrr20Length$qqrr20MatchPath$qqrx20SameStr$qqrx20StringpbiStringr27
                                                              • String ID:
                                                              • API String ID: 3647251182-0
                                                              • Opcode ID: babfc3170ad390a3f6173a305eb4a18e5706085a47ed011bab55c1456b62137d
                                                              • Instruction ID: 8f116e2beaebb0910c79983e48f6089e9e1a1bde4e140d13074eedb8cff09ffc
                                                              • Opcode Fuzzy Hash: babfc3170ad390a3f6173a305eb4a18e5706085a47ed011bab55c1456b62137d
                                                              • Instruction Fuzzy Hash: B9510734906199DBDB50DFA4DD96ACDB7B5EF49310F9082E6E808A3211DB30AF85CF80
                                                              Function 50003454 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 277windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@FillChar$qqrpvib.RTL120 ref: 50003480
                                                              • @System@@FillChar$qqrpvib.RTL120 ref: 50003492
                                                              • @System@SysUnregisterExpectedMemoryLeak$qqrpv.RTL120 ref: 500034FA
                                                              • @System@SysUnregisterExpectedMemoryLeak$qqrpv.RTL120 ref: 5000354C
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 500035B3
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 50003637
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 50003694
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 500036CD
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 500036E9
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 50003705
                                                                • Part of subcall function 50003018: @System@Move$qqrpxvpvi.RTL120(?,?,500035CA), ref: 50003022
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 5000379C
                                                              • @System@@PCharLen$qqrpc.RTL120 ref: 50003802
                                                              • MessageBoxA.USER32(00000000,?,50001ED0,00002010), ref: 50003829
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$CharLen$qqrpc$System@$Char$qqrpvibExpectedFillLeak$qqrpvMemoryUnregister$MessageMove$qqrpxvpvi
                                                              • String ID: $7$<JP$jP
                                                              • API String ID: 1068419464-4104698994
                                                              • Opcode ID: a8bb0f9d858d0eae5a91e9caac678f446fdd161179c3f76a6e3532f1f0ec883b
                                                              • Instruction ID: 1bd8d098dfdd9012cd56aed44c4f0c03c4dd7fa1f26bc2d498341ce450a84f99
                                                              • Opcode Fuzzy Hash: a8bb0f9d858d0eae5a91e9caac678f446fdd161179c3f76a6e3532f1f0ec883b
                                                              • Instruction Fuzzy Hash: 27B1E430A052D48BFB32DB6CDC90B88B7F8BB49650F9442E6E449DB352CB719D85CB91
                                                              Function 500391B0 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391FF
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$Stringx20System@@$Asg$qqrr20Cat3$qqrr20StringStringt2
                                                              • String ID: Any$Array $ByRef $String$UnicodeString
                                                              • API String ID: 2201327990-2617011621
                                                              • Opcode ID: 2c48cb2b966e9eb535af4dc705276307beba80cf27b90786bbe315e30b6060d6
                                                              • Instruction ID: ebc111c00f9f3ce4b2f0d66ad6076afb76b8f2783d8abbf171bc1124b3b59010
                                                              • Opcode Fuzzy Hash: 2c48cb2b966e9eb535af4dc705276307beba80cf27b90786bbe315e30b6060d6
                                                              • Instruction Fuzzy Hash: 4E21F7347055D0AFEF12EAD8D851BDAB3DAEF9A710FA04713BA0097386C6789E01C691
                                                              Function 50002B10 Relevance: 28.9, APIs: 19, Instructions: 407COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@SysGetMem$qqri.RTL120 ref: 50002B40
                                                              • @System@SysFreeMem$qqrpv.RTL120 ref: 50002B58
                                                              • @System@SysGetMem$qqri.RTL120 ref: 50002B76
                                                              • @System@SysFreeMem$qqrpv.RTL120 ref: 50002B9C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$FreeMem$qqriMem$qqrpv
                                                              • String ID:
                                                              • API String ID: 1065326172-0
                                                              • Opcode ID: 07fe07600e9fc5acced1606dc5d0384102eb1ac5b07c89382bdbf1b765f8db2c
                                                              • Instruction ID: 109219bf6a90ecac94eeb607d3392a2891908dbfbfbb0241e4c678e92fbbb21d
                                                              • Opcode Fuzzy Hash: 07fe07600e9fc5acced1606dc5d0384102eb1ac5b07c89382bdbf1b765f8db2c
                                                              • Instruction Fuzzy Hash: 48C10762700A814BF7159ABC9CA57ADB3D19BD4221F98833EE614CB396DAB4EC458381
                                                              Function 5001D12C Relevance: 28.6, APIs: 19, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D15E
                                                              • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(?,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D16C
                                                              • @Sysutils@SameFileName$qqrx20System@UnicodeStringt1.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D175
                                                              • @System@UniqueString$qqrr20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D18F
                                                              • @System@UniqueString$qqrr20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D1A2
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D1EA
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D1F8
                                                              • @Sysutils@SameFileName$qqrx20System@UnicodeStringt1.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D201
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D20E
                                                              • @System@@UStrCatN$qqrv.RTL120(5001D2FC,5001D2E8,00000004,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D22C
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000004,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D250
                                                              • @System@@UStrCatN$qqrv.RTL120(5001D2FC,?,00000004,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D264
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D275
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D27F
                                                                • Part of subcall function 5001D100: @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000004,?,5001D1B5,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D110
                                                              • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D28A
                                                                • Part of subcall function 5001C8E4: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C8F2
                                                                • Part of subcall function 5001C8E4: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C904
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D294
                                                                • Part of subcall function 5000A164: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                • Part of subcall function 5000A164: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                • Part of subcall function 5000A164: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                                • Part of subcall function 5000A164: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$Sysutils@$File$Char$qqrr20FromStringpbStringx20$ExtractName$qqrx20Stringt1$Asg$qqrr20Cat$qqrr20Drive$qqrx20N$qqrvSameString$qqrr20Unique$AnsiClr$qqrpvCopy$qqrx20Delimiter$qqrx20LastLength$qqrr20Move$qqrpxvpviScan$qqrpbbStringiStringii
                                                              • String ID:
                                                              • API String ID: 178390892-0
                                                              • Opcode ID: 5cf03c4f51f339b5190f70d2a39a3b1a4e70701528fcd71156b8032a35829f8d
                                                              • Instruction ID: 482c5ae77d457f58d2c42465c16c4b49129206617ce66a2e08880273dab9e065
                                                              • Opcode Fuzzy Hash: 5cf03c4f51f339b5190f70d2a39a3b1a4e70701528fcd71156b8032a35829f8d
                                                              • Instruction Fuzzy Hash: 26414234A01A99ABDB01DBD4EC91ADEB3B5EF68200F504637F510A3241DB74DE868B91
                                                              Function 50029604 Relevance: 27.2, APIs: 18, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 50029676
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 5002969F
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500298F5), ref: 500296B5
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 500296DB
                                                              • @Sysutils@CharLength$qqrx20System@UnicodeStringi.RTL120(00000000,500298F5), ref: 500296FA
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 50029764
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500298F5), ref: 50029777
                                                              • @Sysutils@StrLComp$qqrpxbt1ui.RTL120(00000000,500298F5), ref: 50029786
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500298F5), ref: 5002980F
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500298F5), ref: 5002981A
                                                              • @Sysutils@StrLComp$qqrpxbt1ui.RTL120(?,00000000,500298F5), ref: 50029864
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500298F5), ref: 5002988A
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500298F5), ref: 500298BA
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500298F5), ref: 500298C5
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$InternalStringx20$Cat$qqrr20Sysutils@$Comp$qqrpxbt1uiCopy$qqrx20Stringii$Asg$qqrr20CharChar$qqrx20Length$qqrx20Stringi
                                                              • String ID:
                                                              • API String ID: 873705688-0
                                                              • Opcode ID: 253641eb34a4d143ab3a2581e42b7379e36710be684173b05d6945abe8d2afe8
                                                              • Instruction ID: be51fb8424686403522dc7b40415ecc70bc72e8b18d73c36ef70b9aef3598e1a
                                                              • Opcode Fuzzy Hash: 253641eb34a4d143ab3a2581e42b7379e36710be684173b05d6945abe8d2afe8
                                                              • Instruction Fuzzy Hash: 24A13934D1228A9FDF00DFA8E985AEEB7F1FF49300FA44266E404A7251D7749E81CB94
                                                              Function 50029964 Relevance: 27.2, APIs: 18, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@ParamCount$qqrv.RTL120(00000000,50029B78), ref: 50029994
                                                                • Part of subcall function 500046CC: GetCommandLineW.KERNEL32(00000000,5000471D,?,?,?,00000000), ref: 500046E3
                                                              • @System@ParamStr$qqri.RTL120(00000000,50029B78), ref: 500299AD
                                                                • Part of subcall function 5000472C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000473D
                                                                • Part of subcall function 5000472C: GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 50004752
                                                                • Part of subcall function 5000472C: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,?,00000105), ref: 5000475D
                                                              • @System@@SetEq$qqrv.RTL120(00000000,50029B78), ref: 500299BB
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50029B78), ref: 500299F5
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50029B78), ref: 50029A00
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029A1D
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029A4E
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50029B78), ref: 50029A6E
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,?,00000000,50029B78), ref: 50029A7B
                                                              • CompareStringW.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,00000000,50029B78), ref: 50029A88
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50029B78), ref: 50029AB0
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50029B78), ref: 50029ABB
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029AD8
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029B09
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50029B78), ref: 50029B29
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,?,00000000,50029B78), ref: 50029B36
                                                              • CompareStringW.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000,?,00000000,50029B78), ref: 50029B43
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$From$AnsiChar$qqrx20InternalStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Stringx20$CompareCopy$qqrx20ParamStringii$CharCommandCount$qqrvEq$qqrvFileLen$qqrr20LineModuleNameStr$qqriStringpbi
                                                              • String ID:
                                                              • API String ID: 3651759711-0
                                                              • Opcode ID: cd5cc04ada734ffdd08278c1e4b726aaa89d04c5e2e3be0d58094f2489661b81
                                                              • Instruction ID: c09673ee74d34fb23c294186d7525fae2e6e01a2bf152108c741f07823023258
                                                              • Opcode Fuzzy Hash: cd5cc04ada734ffdd08278c1e4b726aaa89d04c5e2e3be0d58094f2489661b81
                                                              • Instruction Fuzzy Hash: 3A613970E0128A9FDF01DFA8E981AEEB7F9EF48300F904266E504E7251E7749D41CBA5
                                                              Function 5001A8EC Relevance: 27.1, APIs: 18, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001AA7C), ref: 5001A921
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001A92A
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001A93F
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,5001AA7C), ref: 5001A955
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(?,?,00000000,5001AA7C), ref: 5001A967
                                                              • @System@@UStrCatN$qqrv.RTL120(?,?,?,00000000,5001AA7C), ref: 5001A976
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001AA7C), ref: 5001A998
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001AA7C), ref: 5001A9AC
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001AA7C), ref: 5001A9B3
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001AA7C), ref: 5001A9C7
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001A9D4
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,5001AA7C), ref: 5001A9F1
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001AA17
                                                              • @Sysutils@StrEnd$qqrpxb.RTL120(00000000,5001AA7C), ref: 5001AA24
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,5001AA7C), ref: 5001AA3E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$Unicode$AnsiSysutils@$Scan$qqrpbbString$Char$qqrx20From$Char$qqrr20Move$qqrpxvpviStringb$End$qqrpxbInternalLength$qqrr20N$qqrvStr$qqrr20StringiStringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 3100482041-0
                                                              • Opcode ID: ac5933cb5126ba6906b8115a9258b9b4bc1d021dfbd3a256c5a20e56419a4f34
                                                              • Instruction ID: e71aa64f505d5f3bb0e37b2848e98b16ac34cbcc8d436ff160d5d4550b390a29
                                                              • Opcode Fuzzy Hash: ac5933cb5126ba6906b8115a9258b9b4bc1d021dfbd3a256c5a20e56419a4f34
                                                              • Instruction Fuzzy Hash: C941C021B012A69BDB019BE9DC912AEB3F5AF58200F944636E840D7352EB38DE418391
                                                              Function 5002944C Relevance: 27.1, APIs: 18, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,500295F1), ref: 5002948C
                                                                • Part of subcall function 50019EBC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019EF5
                                                                • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F08
                                                                • Part of subcall function 50019EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F13
                                                                • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F1F
                                                                • Part of subcall function 50019EBC: CharUpperBuffW.USER32(00000000,?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000), ref: 50019F25
                                                              • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,500295F1), ref: 50029497
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294A3
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294AE
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294B8
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294C2
                                                              • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,500295F1), ref: 500294D2
                                                                • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 5002879B
                                                                • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 500287C3
                                                                • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287D7
                                                                • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50028822), ref: 500287E0
                                                                • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287F6
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294E3
                                                                • Part of subcall function 5000A164: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                • Part of subcall function 5000A164: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                • Part of subcall function 5000A164: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                                • Part of subcall function 5000A164: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000000,500295F1), ref: 50029504
                                                              • @System@@UStrCatN$qqrv.RTL120(?,?,?,00000000,00000000,500295F1), ref: 50029517
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,?,?,00000000,00000000,500295F1), ref: 50029534
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,00000000,00000000,500295F1), ref: 50029560
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,?,00000000,00000000,500295F1), ref: 50029571
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$AnsiStringx20$Asg$qqrr20Char$qqrx20From$InternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@Upper$Case$qqrx20Cat$qqrr20CharCopy$qqrx20Stringii$BuffClr$qqrpvLen$qqrr20Length$qqrr20Move$qqrpxvpviN$qqrvPos$qqrx20StringiStringpbiStringt1
                                                              • String ID:
                                                              • API String ID: 2621940507-0
                                                              • Opcode ID: ff1345ccb1cb74fbf93f5664dae3af5beed445668d21275d9704c0a32d1a5c61
                                                              • Instruction ID: c8ac3393b34f38ec1835f6db0b975786c4e5aa466663b261a48470ebfa86302d
                                                              • Opcode Fuzzy Hash: ff1345ccb1cb74fbf93f5664dae3af5beed445668d21275d9704c0a32d1a5c61
                                                              • Instruction Fuzzy Hash: 24513930A0269A9FDF01DF98E8819DEB7B5FF49300F90866AE914A7255D734AE45CB80
                                                              Function 5001D338 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D4A4), ref: 5001D366
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001D4A4), ref: 5001D394
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @Sysutils@FileExists$qqrx20System@UnicodeString.RTL120(00000000,5001D4A4), ref: 5001D3A9
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D3C0
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,5001D4A4), ref: 5001D3F2
                                                              • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(?,00000000,5001D4A4), ref: 5001D410
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D421
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001D4A4), ref: 5001D43D
                                                              • @Sysutils@AnsiLastChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D447
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,5001D4A4), ref: 5001D469
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D477
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D4A4), ref: 5001D489
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@$String$System@@$AnsiStringx20$FromStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Asg$qqrr20Cat$qqrr20EnsureInternalString$qqrr20$CharChar$qqrx20Copy$qqrx20Exists$qqrx20FileIndex$qqrx20LastNextStringiStringii
                                                              • String ID: \
                                                              • API String ID: 1823336666-2967466578
                                                              • Opcode ID: df0ab2c0c2f59ba5373b8656c7223b6ccec50d516bfc707d398026b4c07643d9
                                                              • Instruction ID: 6d0a0c84b3d9e99a300f93f86f148e16fca29f9739a9876171c5e92ec0c1f276
                                                              • Opcode Fuzzy Hash: df0ab2c0c2f59ba5373b8656c7223b6ccec50d516bfc707d398026b4c07643d9
                                                              • Instruction Fuzzy Hash: 2C417134E00989DFDB10EFA8D99289EB3F1EF44300B5082A7E510E7221D770AF86D791
                                                              Function 5002A794 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 106librarywindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002A8E2), ref: 5002A7B7
                                                              • @System@LoadResourceModule$qqrpbo.RTL120(00000000,5002A8E2), ref: 5002A7C4
                                                                • Part of subcall function 5000C58C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,50120000,50242008), ref: 5000C5A8
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,50120000,50242008), ref: 5000C5C8
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,50120000,50242008), ref: 5000C5E6
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 5000C604
                                                                • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 5000C622
                                                                • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 5000C66B
                                                                • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,5000C8B4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001), ref: 5000C689
                                                                • Part of subcall function 5000C58C: RegCloseKey.ADVAPI32(?,5000C6C7,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 5000C6BA
                                                              • GetModuleHandleW.KERNEL32(?,00000000,5002A8E2), ref: 5002A7D3
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00000000,5002A8E2), ref: 5002A7E6
                                                              • GetLastError.KERNEL32(?,00000000,5002A8E2), ref: 5002A801
                                                              • @Sysutils@SysErrorMessage$qqrui.RTL120(?,00000000,5002A8E2), ref: 5002A809
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,?,00000000,5002A8E2), ref: 5002A82B
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,?,00000000,5002A8E2), ref: 5002A830
                                                              • FindResourceW.KERNEL32(00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A84E
                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A85C
                                                              • LockResource.KERNEL32(00000000,00000000,5002A8A1,?,00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A87C
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000000,5002A8A1,?,00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A885
                                                              • FreeResource.KERNEL32(00000000,5002A8A8,?,00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A89B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Resource$Open$LoadSystem@@Unicode$ErrorModuleQueryStringSysutils@Value$Asg$qqrr20Char$qqrr20CloseExcept$qqrvException@$bctr$qqrp20FileFindFreeFromHandleLastLibraryLockMessage$qqruiModule$qqrpboNameRaiseRecpx14RecxiStringpbStringx20
                                                              • String ID: DESCRIPTION
                                                              • API String ID: 3160456903-3773289166
                                                              • Opcode ID: 9c728f30882331a281c9099e372204b5d02cfbfa5d2dcb8aba3413716321baf8
                                                              • Instruction ID: 2fbb488c572c727051016de5f65cec4f5785d2b5e39462af3f2b4d4cfef47028
                                                              • Opcode Fuzzy Hash: 9c728f30882331a281c9099e372204b5d02cfbfa5d2dcb8aba3413716321baf8
                                                              • Instruction Fuzzy Hash: 2731A270A062D9AFEB05CFF4EC55B9DB7F9EB1A304F9045A6F500A3242DE385A40C7A0
                                                              Function 5002D988 Relevance: 25.6, APIs: 17, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,5002DB19,?,00000000), ref: 5002D9D3
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,5002DB19,?,00000000), ref: 5002D9CE
                                                                • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002D9F7
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002D9FC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA1F
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA24
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002DB19,?,00000000), ref: 5002DA41
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA70
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA75
                                                              • @System@@DynArrayLength$qqrv.RTL120(00000000,5002DB19,?,00000000), ref: 5002DA7F
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DAAA
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DAAF
                                                              • @Sysutils@TEncoding@GetByteCount$qqrx20System@UnicodeStringii.RTL120(5002D963,00000000,?,00000000,5002DB19,?,00000000), ref: 5002DABD
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002D963,00000000,?,00000000,5002DB19,?,00000000), ref: 5002DAD8
                                                              • @System@@RaiseExcept$qqrv.RTL120(5002D963,00000000,?,00000000,5002DB19,?,00000000), ref: 5002DADD
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$String$RaiseSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$Unicode$AfterAnsiArrayByteClassClassoConstruction$qqrp14Count$qqrx20Create$qqrp17Encoding@Error$qqrucFromInternalLength$qqrvList$qqrvLoadMetaObjectStr$qqrr20String$qqrp20StringiiStringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 1510222668-0
                                                              • Opcode ID: 04cde6b8ab52445afbce40d0579e5524d879601997f477b20f500470919b9e46
                                                              • Instruction ID: c200511c8af83f716f27c4f8f74ee48d0f5db12a54d239dde748c8e376a153b6
                                                              • Opcode Fuzzy Hash: 04cde6b8ab52445afbce40d0579e5524d879601997f477b20f500470919b9e46
                                                              • Instruction Fuzzy Hash: 1551A330A065869FDB10DFA8ED91AAEB7F9EF54304F508266F904D7351CB70AE01CBA1
                                                              Function 5002D778 Relevance: 25.6, APIs: 17, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7AB
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7A6
                                                                • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7C9
                                                              • @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7CE
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D7F1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D7F6
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D819
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D81E
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D826
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D84B
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D850
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D85A
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D885
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D88A
                                                              • @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%ii.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D898
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D8B3
                                                              • @System@@RaiseExcept$qqrv.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D8B8
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$RaiseStringSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$ArrayLength$qqrv$AfterArray$tb%iiByteClassClassoConstruction$qqrp14Count$qqrx24Create$qqrp17DynamicEncoding@Error$qqrucList$qqrvLoadMetaObjectString$qqrp20System@%
                                                              • String ID:
                                                              • API String ID: 1237184820-0
                                                              • Opcode ID: 952b74f017d3762d293e9f3b11fffa3ac327c9001284a9ce47d9ecc3364eade9
                                                              • Instruction ID: a3c714428ec61206f39ef323b742ab525dddacf128d87db4c55a7e7c244486e1
                                                              • Opcode Fuzzy Hash: 952b74f017d3762d293e9f3b11fffa3ac327c9001284a9ce47d9ecc3364eade9
                                                              • Instruction Fuzzy Hash: E2416F30E0658A9FDB10DFD8FD85AAEB7B9AF54304F10425AF90497352DB71AE01CBA1
                                                              Function 50031598 Relevance: 24.1, APIs: 16, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 5003162F
                                                              • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031642
                                                              • @Variants@@VarFromReal$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031653
                                                              • @Variants@@VarFromReal$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031664
                                                              • @Variants@@VarFromCurr$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031675
                                                              • @Variants@@VarFromReal$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031686
                                                              • @Variants@@VarFromWStr$qqrr8TVarDatax17System@WideString.RTL120(00000000,5003177B,?,?,?,00000000), ref: 5003169F
                                                              • @Variants@@VarFromBool$qqrr8TVarDataxo.RTL120(00000000,5003177B,?,?,?,00000000), ref: 500316B8
                                                              • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 500316CC
                                                              • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 500316E0
                                                              • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 500316F1
                                                              • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031701
                                                              • @Variants@@VarFromInt64$qqrr8TVarDataxj.RTL120(?,?,00000000,5003177B,?,?,?,00000000), ref: 50031714
                                                              • @Variants@@VarFromUInt64$qqrr8TVarDataxuj.RTL120(?,?,?,?,00000000,5003177B,?,?,?,00000000), ref: 50031727
                                                              • @Variants@@VarCopyNoInd$qqrr8TVarDatarx8TVarData.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031735
                                                              • @System@@WStrClr$qqrpv.RTL120(50031782,?,?,00000000), ref: 50031775
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Variants@@$From$DataxixzcInt$qqrr8$Real$qqrv$Int64$qqrr8$Bool$qqrr8Clr$qqrpvCopyCurr$qqrvDataDatarx8Datax17DataxjDataxoDataxujInd$qqrr8Str$qqrr8StringSystem@System@@Wide
                                                              • String ID:
                                                              • API String ID: 1012867692-0
                                                              • Opcode ID: 0d706630987602831d493e185933a0c614700174b10b453fd8f24576d447ecb0
                                                              • Instruction ID: 379c610481b3938701a24ff1c6e680b783a9edc1522a16b2d264831e533fbfcd
                                                              • Opcode Fuzzy Hash: 0d706630987602831d493e185933a0c614700174b10b453fd8f24576d447ecb0
                                                              • Instruction Fuzzy Hash: A8412434309EA08F8712AF58D9818D973B5AB8DA80F6CC352F544CF319DA74DD41A7D2
                                                              Function 5002DD38 Relevance: 24.1, APIs: 16, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RaiseExcept$qqrv.RTL120 ref: 5002DD6B
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120 ref: 5002DD66
                                                                • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002DD8E
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002DD93
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002DDB6
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002DDBB
                                                              • @System@@DynArrayLength$qqrv.RTL120 ref: 5002DDC3
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002DDE8
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002DDED
                                                              • @Sysutils@TEncoding@GetCharCount$qqrx25System@%DynamicArray$tuc%ii.RTL120(?), ref: 5002DDFB
                                                              • @System@@DynArrayLength$qqrv.RTL120(?), ref: 5002DE0C
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?), ref: 5002DE2F
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?), ref: 5002DE34
                                                              • @System@@DynArrayLength$qqrv.RTL120(00000000,?,?), ref: 5002DE3E
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,?,?), ref: 5002DE59
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?), ref: 5002DE5E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$RaiseStringSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$ArrayLength$qqrv$AfterArray$tuc%iiCharClassClassoConstruction$qqrp14Count$qqrx25Create$qqrp17DynamicEncoding@Error$qqrucList$qqrvLoadMetaObjectString$qqrp20System@%
                                                              • String ID:
                                                              • API String ID: 599856924-0
                                                              • Opcode ID: 4b8d796bfac4fa0ae40b9c02b7f6622a5a3d8938baecce40c243d743d60e7c27
                                                              • Instruction ID: 7c7a2039e6845435a2d692603e14150ae7f22c60f5061fde4fa10c9b3cf0b75a
                                                              • Opcode Fuzzy Hash: 4b8d796bfac4fa0ae40b9c02b7f6622a5a3d8938baecce40c243d743d60e7c27
                                                              • Instruction Fuzzy Hash: CB416430A025869BDB10DF98FD91AAEB7B9AF54304F50415AF9049B352CB71AE05CBA1
                                                              Function 500236AC Relevance: 22.6, APIs: 15, Instructions: 107threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023814), ref: 500236D8
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023814), ref: 50023706
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000200,00000000,50023814), ref: 5002371A
                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,50023814), ref: 50023726
                                                              • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 5002372C
                                                              • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 50023746
                                                              • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(?,00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 5002376D
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 5002377B
                                                                • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                              • @Sysutils@ByteToCharLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237A6
                                                              • @Sysutils@CharToByteIndex$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237B7
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237D3
                                                              • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237E3
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237EE
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$Char$From$ByteStringStringiSysutils@$Len$qqrx20Stringpbi$Asg$qqrr20Len$qqrr20Stringx20$AnsiArray$qqrr20Char$qqrr20Char$qqrx20Copy$qqrx20DateFormatIndex$qqrx20InternalLocaleStr$qqrr20StringiiStringpbStringx27System@%T$us$i0$%Thread
                                                              • String ID:
                                                              • API String ID: 3483906196-0
                                                              • Opcode ID: 07ec6dc5ae61966c67d195a7f413b0f24ab838b4146774390f1e3ff9206560d6
                                                              • Instruction ID: 4f9631fb190bdf22358dadba8d9e4bcdbf434579e9ae2086efaa57f8c8f505f9
                                                              • Opcode Fuzzy Hash: 07ec6dc5ae61966c67d195a7f413b0f24ab838b4146774390f1e3ff9206560d6
                                                              • Instruction Fuzzy Hash: 7231A274A461998FEF20DBA8E89569DB3F4EF18300F5042A6F808E7315DA34DE01CBD1
                                                              Function 500229F4 Relevance: 22.6, APIs: 15, Instructions: 107threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022B5C), ref: 50022A20
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022B5C), ref: 50022A4E
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000100,00000000,50022B5C), ref: 50022A62
                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022A6E
                                                              • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022A74
                                                              • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022A8E
                                                              • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(?,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AB5
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AC3
                                                                • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                              • @Sysutils@ByteToCharLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AEE
                                                              • @Sysutils@CharToByteIndex$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AFF
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022B1B
                                                              • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022B2B
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022B36
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$Char$From$ByteStringStringiSysutils@$Len$qqrx20Stringpbi$Asg$qqrr20Len$qqrr20Stringx20$AnsiArray$qqrr20Char$qqrr20Char$qqrx20Copy$qqrx20DateFormatIndex$qqrx20InternalLocaleStr$qqrr20StringiiStringpbStringx27System@%T$us$i0$%Thread
                                                              • String ID:
                                                              • API String ID: 3483906196-0
                                                              • Opcode ID: 14b31e75bbe4f29b0344d47f151fd9c0e418cd3dfaf5d63b438e38d57a2d97fd
                                                              • Instruction ID: 53e8520a94321b9216bfb608fab58842445848e9737d4ff382ae0df39ef9d34b
                                                              • Opcode Fuzzy Hash: 14b31e75bbe4f29b0344d47f151fd9c0e418cd3dfaf5d63b438e38d57a2d97fd
                                                              • Instruction Fuzzy Hash: EA31B234A425999FDB11DFA8E89569DB3F4EF18300F5042A6F808E7315DB349E02CBD2
                                                              Function 5001C70C Relevance: 21.2, APIs: 14, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C84D
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C749
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C774
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C79A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C7BC
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C7E7
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C813
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001C8D4), ref: 5001C866
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,5001C8D4), ref: 5001C86B
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C891
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C8AD
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001C8D4), ref: 5001C8B9
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Copy$qqrx20Stringii$Asg$qqrr20EnsureLen$qqrx20String$qqrr20Stringx20
                                                              • String ID:
                                                              • API String ID: 878542493-0
                                                              • Opcode ID: 3ab3b303093b8a636e88502fb4d09674c64ae5bfa68a04d5878e1d884443bb8e
                                                              • Instruction ID: a5e6bedc7b1fa09ac2a89fd4f76479da9ae694add23f0eb23cd9a90cd4e19f31
                                                              • Opcode Fuzzy Hash: 3ab3b303093b8a636e88502fb4d09674c64ae5bfa68a04d5878e1d884443bb8e
                                                              • Instruction Fuzzy Hash: 76516E34A04185DBDF11DFA8DD82EADB3F9EF85220B6082A6D500D7295EBB0DEC5D781
                                                              Function 50010280 Relevance: 21.2, APIs: 14, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010450,?,?,?,?), ref: 500102B1
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010450,?,?,?,?), ref: 500102CE
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010450,?,?,?,?), ref: 50010306
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,500108D0,00000000,50010450,?,?,?,?), ref: 50010337
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,500108D0,00000000,50010450,?,?,?,?), ref: 5001033C
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 50010392
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 50010397
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010450,?,?,?,?), ref: 500103B4
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 500103E1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 500103E6
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 5001041C
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 50010421
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@$Unicode$AnsiExcept$qqrvException@$bctr$qqrp20FromRaiseRecpx14RecxiStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Internal$Asg$qqrr20Stringx20
                                                              • String ID:
                                                              • API String ID: 2110080293-0
                                                              • Opcode ID: 2acdd1ed6b19c18f9c3d6a13469d4a30c81e8413c8df2a859eca72d6a4b32dc1
                                                              • Instruction ID: 3dd440310b7d6b838b62487898f5154655aa6721fdb6a91f51f28f113b154d74
                                                              • Opcode Fuzzy Hash: 2acdd1ed6b19c18f9c3d6a13469d4a30c81e8413c8df2a859eca72d6a4b32dc1
                                                              • Instruction Fuzzy Hash: 62517F30E012969FEB10CFA4ED81AAEB7F8EF18304F504266E940E7251D7B59E81CB91
                                                              Function 50031250 Relevance: 21.1, APIs: 14, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@VarResultCheck$qqrl.RTL120(?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031275
                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 500312E9
                                                              • @Variants@VarResultCheck$qqrl.RTL120(?,00000001,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB), ref: 500312EE
                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 50031305
                                                              • @Variants@VarResultCheck$qqrl.RTL120(?,00000001,?,?,00000001,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530), ref: 5003130A
                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 5003133E
                                                              • @Variants@VarArrayCreateError$qqrv.RTL120(?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031349
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031354
                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 500313BB
                                                              • @Variants@VarResultCheck$qqrl.RTL120(?,?,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB), ref: 500313C0
                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 500313D4
                                                              • @Variants@VarResultCheck$qqrl.RTL120(00000000,?,?,?,?,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530), ref: 500313D9
                                                              • VariantCopy.OLEAUT32(?,00000000), ref: 50031409
                                                              • @Variants@VarResultCheck$qqrl.RTL120(?,00000000,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB), ref: 5003140E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Variants@$ArrayCheck$qqrlResult$Safe$BoundCreateIndex$Clear$qqrr8CopyDataError$qqrvVariantVariants@@
                                                              • String ID:
                                                              • API String ID: 2462754632-0
                                                              • Opcode ID: d2226f6f942347185893c2112448d7c493ef7b5df07ef858df8a6411db5986f1
                                                              • Instruction ID: 68a44697431ba9d170457ca7a9e020540fd923d0265e6cf9d388f6b8b8de95fb
                                                              • Opcode Fuzzy Hash: d2226f6f942347185893c2112448d7c493ef7b5df07ef858df8a6411db5986f1
                                                              • Instruction Fuzzy Hash: E951EF759026599FCB16DB98DC91BD9B3FCAF5C200F0442E6F509E7202D6709F858FA1
                                                              Function 500262D0 Relevance: 21.1, APIs: 14, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00000000,5002647C), ref: 50026303
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026327
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026342
                                                              • @Sysutils@AnsiStrRScan$qqrpbb.RTL120(?,?,00000105), ref: 50026366
                                                              • @Sysutils@StrLCopy$qqrpbpxbui.RTL120(?,?,00000105), ref: 5002637B
                                                              • @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(?,?,00000105), ref: 50026392
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000105), ref: 5002639E
                                                              • @Sysutils@StrLen$qqrpxb.RTL120(?,?,00000105), ref: 500263A7
                                                              • @System@FindResourceHInstance$qqrui.RTL120(0000FFD6,?,00000100,?,?,00000105), ref: 500263D7
                                                              • LoadStringW.USER32(00000000,0000FFD6,?,00000100), ref: 500263DD
                                                              • @System@TObject@ClassName$qqrv.RTL120(?,?,00000105), ref: 500263EA
                                                              • @Sysutils@StrLFmt$qqrpbuit1px14System@TVarRecxi.RTL120(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,00000105), ref: 50026454
                                                              • @Sysutils@StrLen$qqrpxb.RTL120(?,?,?,?,?,?,?,?,?,?,?,?,00000105), ref: 5002645C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Sysutils@$ClassFileLen$qqrpxbModuleNameStringSystem@@$AnsiChar$qqrx20Class$qqrp14Copy$qqrpbpxbuiFindFmt$qqrpbuit1px14Instance$qqruiLoadMetaName$qqrvObject@Objectp17QueryRecxiResourceScan$qqrpbbUnicodeVirtual
                                                              • String ID:
                                                              • API String ID: 3883136372-0
                                                              • Opcode ID: 26642bce504ab1d5de481313da31769c506bee54e9e21774b4cd9cd9320994c5
                                                              • Instruction ID: 811c3105ae2c2e25737f7d5603747125e796c38313662228b4ee9a41d4d60d20
                                                              • Opcode Fuzzy Hash: 26642bce504ab1d5de481313da31769c506bee54e9e21774b4cd9cd9320994c5
                                                              • Instruction Fuzzy Hash: C3416170A026989FEB20DFA4DC81BCEB7F9AB58300F4045E6E548E7241D7759E94CF90
                                                              Function 5000AC14 Relevance: 19.7, APIs: 13, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000ADF2), ref: 5000AC77
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000ADF2), ref: 5000ACC4
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000ADF2), ref: 5000ACD0
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000ADF2), ref: 5000ACED
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000000,5000ADF2), ref: 5000AD05
                                                              • @System@@LStrSetLength$qqrv.RTL120(?,?,00000000,5000ADF2), ref: 5000AD1D
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(?,?,00000000,5000ADF2), ref: 5000AD41
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,?,00000000,5000ADF2), ref: 5000AD69
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,?,?,00000000,5000ADF2), ref: 5000AD8D
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,00000000,?,?,00000000,5000ADF2), ref: 5000AD95
                                                              • @System@UniqueString$qqrr27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000ADF2), ref: 5000ADA6
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000ADF2), ref: 5000ADC2
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@System@@$Unicode$AnsiSystem@%$From$InternalT$us$i0$%$Str$qqrr27StringusT$us$i0$%x20$Str$qqrr20Stringx27$Char$qqrx20$Asg$qqrr20Char$qqrx27Length$qqrvString$qqrr27Stringx20Unique
                                                              • String ID:
                                                              • API String ID: 3676940474-0
                                                              • Opcode ID: bb095718089ea6be8f972c8c7ef42ee5cb20509a0965c4a480db5d170545e9f0
                                                              • Instruction ID: ac500fde1abb86cd177b816adb830af5aaa922a19d54f23eb4e0e9c860ba2dc2
                                                              • Opcode Fuzzy Hash: bb095718089ea6be8f972c8c7ef42ee5cb20509a0965c4a480db5d170545e9f0
                                                              • Instruction Fuzzy Hash: BA51AE30A011A58FFF11DFB8D8A0AAEB3F5BF82200B918276E501DB654DB74DD41CB41
                                                              Function 5001EC6C Relevance: 19.6, APIs: 13, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ECC4
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ECF1
                                                              • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?,00000000,5001EDFA), ref: 5001ED1A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ED3C
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001EDFA), ref: 5001ED60
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001EDFA), ref: 5001ED6A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ED87
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,?,00000000,5001EDFA), ref: 5001EDAB
                                                              • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?,00000000,5001EDFA), ref: 5001EDB6
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001EDFA), ref: 5001EDCC
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5001EDFA), ref: 5001EDDF
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$From$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$FormatInternalSysutils@$Buf$qqrpbuipxvuipx14Length$qqrr20Recxirx24SettingsStringi$Asg$qqrr20CharChar$qqrx20Len$qqrr20StringpbiStringx20
                                                              • String ID:
                                                              • API String ID: 1571066770-0
                                                              • Opcode ID: 64cdb319a3e332e6adb68e29035f8a23bacc852be664f48c6a3ab591bbd3c75b
                                                              • Instruction ID: cf008f4841a0b878aeaef547bb5394bc45d7c61c31ed61ef41548ca3eb0479a1
                                                              • Opcode Fuzzy Hash: 64cdb319a3e332e6adb68e29035f8a23bacc852be664f48c6a3ab591bbd3c75b
                                                              • Instruction Fuzzy Hash: 9E514B74B00199EFDB10DFA8DD8199EB7F9EF58200B6046A6E904E7355D730EE81DB90
                                                              Function 5001EAD4 Relevance: 19.6, APIs: 13, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EB2C
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EB59
                                                              • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxi.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EB7E
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBA0
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBC4
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBCE
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBEB
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC0B
                                                              • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxi.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC16
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC2C
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC3F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$From$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Buf$qqrpbuipxvuipx14FormatLength$qqrr20RecxiStringiSysutils@$Asg$qqrr20CharChar$qqrx20Len$qqrr20StringpbiStringx20
                                                              • String ID:
                                                              • API String ID: 2011730137-0
                                                              • Opcode ID: e0ec65ee7119bda094fea1574f5fbe587e7ff05964032da46d515081ca9c0199
                                                              • Instruction ID: 905ef9e5a7d310ec851db8a729e0b9c5fd371b18d59da8299c39f15f331ca2da
                                                              • Opcode Fuzzy Hash: e0ec65ee7119bda094fea1574f5fbe587e7ff05964032da46d515081ca9c0199
                                                              • Instruction Fuzzy Hash: 03515C70A05199EFDB00DFA8DD8199EB7F9FF88200B6046A6E905E7355D730EE81DB90
                                                              Function 5001671C Relevance: 19.6, APIs: 13, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                              • @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                              • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                              • @Strutils@DupeString$qqrx20System@UnicodeStringi.RTL120(?,00000000,500168A1), ref: 50016854
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,500168A1), ref: 50016861
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500168A1), ref: 50016871
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$From$AnsiStr$qqrr20Stringx20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20Cat$qqrr20Cat3$qqrr20Char$qqrr20Copy$qqrx20DupeStr$qqriString$qqrx20StringbStringiStringiiStringt2Strutils@Sysutils@
                                                              • String ID:
                                                              • API String ID: 2114788560-0
                                                              • Opcode ID: b7fb9b28b5c2121679e22dd6f35be3f677741a1e7c790f700155013dc50960c1
                                                              • Instruction ID: 16ea5a0d39597b1b2e5b354b4af76d672fd4379d434ada6c456a148815a4d04d
                                                              • Opcode Fuzzy Hash: b7fb9b28b5c2121679e22dd6f35be3f677741a1e7c790f700155013dc50960c1
                                                              • Instruction Fuzzy Hash: DD514770A012998FDF00CFA9DD919AEB7F5FF49214B60466AE500E7395DB34EE81CB90
                                                              Function 5001BDBC Relevance: 19.6, APIs: 13, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BDF4
                                                                • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE04
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@ExcludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE0F
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE1A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE37
                                                              • @Sysutils@DirectoryExists$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE51
                                                                • Part of subcall function 5001BD98: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000001,5001BE56,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BD9D
                                                                • Part of subcall function 5001BD98: GetFileAttributesW.KERNEL32(00000000,00000001,5001BE56,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BDA3
                                                              • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE64
                                                                • Part of subcall function 5001C610: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C61E
                                                                • Part of subcall function 5001C610: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C62F
                                                              • @System@@UStrEqual$qqrv.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE6F
                                                                • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3B7
                                                                • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3CC
                                                                • Part of subcall function 5000A45C: @System@@LStrArrayClr$qqrpvi.RTL120(00000000,00000000), ref: 5000A44F
                                                              • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE81
                                                              • @Sysutils@ForceDirectories$qqr20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE89
                                                              • @Sysutils@CreateDir$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE95
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$String$System@@$Sysutils@$AnsiFileFromStr$qqrr20Stringx27System@%T$us$i0$%$Delimiter$qqrx20ExtractPath$qqrx20Raise$AfterArrayAsg$qqrr20AttributesChar$qqrx20ClassClassoClr$qqrpviConstruction$qqrp14Copy$qqrx20CreateCreate$qqrp17Dir$qqrx20Directories$qqr20DirectoryEqual$qqrvError$qqrucExcept$qqrvException@$bctr$qqrp20ExcludeExists$qqrx20ForceInternalLastList$qqrvLoadMetaObjectPathString$qqrp20StringiiStringt1Stringx20Trailing
                                                              • String ID:
                                                              • API String ID: 2306203679-0
                                                              • Opcode ID: 56a2d1a22aa08b1fbeaa17cbbf80d16e66359434df9b90dacc96891ee287758f
                                                              • Instruction ID: 50c6019c4f89038e0e7c76c75c5a4f51b8fbce8d55c1420a97c27fa388cfb9c6
                                                              • Opcode Fuzzy Hash: 56a2d1a22aa08b1fbeaa17cbbf80d16e66359434df9b90dacc96891ee287758f
                                                              • Instruction Fuzzy Hash: 2531D534A01289DFDF04EFA4ED829DDB3F4EF94200F6046A6E60097212D770EE85DB80
                                                              Function 50023838 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023929), ref: 5002385E
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023929), ref: 50023891
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023929), ref: 500238A0
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000200,00000000,50023929), ref: 500238B4
                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,50023929), ref: 500238C0
                                                              • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,50023929), ref: 500238C6
                                                              • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023929), ref: 500238DC
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000200,00000000,50023929), ref: 5002390E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$Asg$qqrr20Stringx20$Array$qqrr20Char$qqrx20Copy$qqrx20DateFormatFromLocaleStringiiStringpbiThread
                                                              • String ID: $yyyy
                                                              • API String ID: 1172944777-404527807
                                                              • Opcode ID: 88830cba35c6eddecc1ac2c1449b220e654a0ef3beac0e7d82714beb81f21552
                                                              • Instruction ID: 71332474c6b87554fb3030c3449044ef5b0949cbd634da679827f02ba86c845d
                                                              • Opcode Fuzzy Hash: 88830cba35c6eddecc1ac2c1449b220e654a0ef3beac0e7d82714beb81f21552
                                                              • Instruction Fuzzy Hash: 1521D634A066999FEF24DF94D891AAEB3F8EF19300F4041A6F948E7251D7709E40C7E1
                                                              Function 50022B80 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022C71), ref: 50022BA6
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022C71), ref: 50022BD9
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022C71), ref: 50022BE8
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000100,00000000,50022C71), ref: 50022BFC
                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C08
                                                              • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C0E
                                                              • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C24
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C56
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$Asg$qqrr20Stringx20$Array$qqrr20Char$qqrx20Copy$qqrx20DateFormatFromLocaleStringiiStringpbiThread
                                                              • String ID: $yyyy
                                                              • API String ID: 1172944777-404527807
                                                              • Opcode ID: 7ef1087f4d4af34cec82ccebe09d2b5c760a2d6a66edd987d5132df130b4dd83
                                                              • Instruction ID: 6e21ac3d6df65d55f339e6910fdd066f09115e269f720ce5f53e5c818f6ba049
                                                              • Opcode Fuzzy Hash: 7ef1087f4d4af34cec82ccebe09d2b5c760a2d6a66edd987d5132df130b4dd83
                                                              • Instruction Fuzzy Hash: 4421A635A02599ABDB05DFE4D8919AEB3F8EF18300F9142A6F908E7251D7309E41C7E1
                                                              Function 5000BBB4 Relevance: 18.3, APIs: 12, Instructions: 295COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5000BF16), ref: 5000BC02
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BC2B
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BC7F
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BD60
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BEDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$StringSystem@System@@$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$EnsureString$qqrr20
                                                              • String ID:
                                                              • API String ID: 2573053487-0
                                                              • Opcode ID: 97667f7b19627494281d573ce0d46fa2221eafa0171f85fe3d9223722af12486
                                                              • Instruction ID: 59446d4d2ba1da7a5ff25cac286c0d0f07febfb8898b249f3869d09b78310809
                                                              • Opcode Fuzzy Hash: 97667f7b19627494281d573ce0d46fa2221eafa0171f85fe3d9223722af12486
                                                              • Instruction Fuzzy Hash: 3CB18D30D0419ADBEB20EFA8C861BEEB3F5EF40314F908666D50197295E7B48E85DB81
                                                              Function 500107B0 Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001092F,?,?), ref: 500107DE
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 500107FB
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 50010833
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,5000FDAE,00000000,5001092F,?,?), ref: 50010864
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,5000FDAE,00000000,5001092F,?,?), ref: 50010869
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 50010886
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,5001092F,?,?), ref: 50010892
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 500108B3
                                                              • @Character@TCharacter@ConvertToUtf32$qqrx20System@UnicodeStringi.RTL120(00000000,5001092F,?,?), ref: 500108CB
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120(00000000,5001092F,?,?), ref: 500108DB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$Character@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20ConvertExcept$qqrvException@$bctr$qqrp20Initialize$qqrvLatin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@Utf32$qqrx20
                                                              • String ID:
                                                              • API String ID: 1571831625-0
                                                              • Opcode ID: 85393cb161c1816bc41922dd3de2d3b0f49e4e06d07e37d77665b878cc553ffb
                                                              • Instruction ID: db5d648a61a0c398fe2207ce4aef69e534902f808f4f142b5e1ae4a32dae8c69
                                                              • Opcode Fuzzy Hash: 85393cb161c1816bc41922dd3de2d3b0f49e4e06d07e37d77665b878cc553ffb
                                                              • Instruction Fuzzy Hash: AF41B230A042899FEB10DFA4DC915AEB7F5EF44300F5042A6E581D7256DBB4DE85D7D0
                                                              Function 5001AB98 Relevance: 18.1, APIs: 12, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,?,?,5001AD11,00000000,5001ADED), ref: 5001ABA9
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001ABD0
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001ABEB
                                                              • @Sysutils@StrEnd$qqrpxb.RTL120 ref: 5001ABFE
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001AC30
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5001AC41
                                                                • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120 ref: 5001AC4B
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001AC56
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5001AC7C
                                                              • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001AC99
                                                              • @Sysutils@StrEnd$qqrpxb.RTL120 ref: 5001ACAC
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5001ACC7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$Sysutils@Unicode$Ansi$Scan$qqrpbb$String$End$qqrpxbFromMove$qqrpxvpvi$Asg$qqrr20CharChar$qqrx20Clr$qqrpvLen$qqrr20Length$qqrr20Mem$qqrrpviReallocStr$qqrr20StringiStringpbiStringx20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 392231086-0
                                                              • Opcode ID: 34e386615c20764c686fa2e330a007194eeb9ffd2f6092f69671aca0717def4e
                                                              • Instruction ID: 272aa0e68da5d34f8c7963d109c1e33d6c47abc84314b6cdbc7e838049ef833e
                                                              • Opcode Fuzzy Hash: 34e386615c20764c686fa2e330a007194eeb9ffd2f6092f69671aca0717def4e
                                                              • Instruction Fuzzy Hash: 1C4178757056B48FDB269F68DC9075973E1EB97320F4046A5E040CF35AEB35AC82CB86
                                                              Function 5001155C Relevance: 18.1, APIs: 12, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011688), ref: 5001158A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011688), ref: 500115A7
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011688), ref: 500115DF
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50011688), ref: 50011610
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50011688), ref: 50011615
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011688), ref: 50011632
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,50011688), ref: 5001163E
                                                              • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120(00000000,50011688), ref: 50011653
                                                              • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,50011688), ref: 50011661
                                                              • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120(00000000,50011688), ref: 50011666
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@Unicode$System@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$CategoryCheckSymbol$qqr26$Asg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 3532062273-0
                                                              • Opcode ID: 02f4e0b453128032bd79c09e3ed692ee6b80c67c9a4282a1909b60d356ae584f
                                                              • Instruction ID: cf5c02718057c24ffe030ee689320cfff37d531f52e15f9273e95cb41984650f
                                                              • Opcode Fuzzy Hash: 02f4e0b453128032bd79c09e3ed692ee6b80c67c9a4282a1909b60d356ae584f
                                                              • Instruction Fuzzy Hash: C431D030A006899BDF05DFA8EC829EDB7FAAF94200F5842A6E541D7242D771DE81D781
                                                              Function 5000FCA4 Relevance: 18.1, APIs: 12, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000FDD0), ref: 5000FCD2
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FDD0), ref: 5000FCEF
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FDD0), ref: 5000FD27
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5000FDD0), ref: 5000FD58
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5000FDD0), ref: 5000FD5D
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FDD0), ref: 5000FD7A
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,5000FDD0), ref: 5000FD86
                                                              • @Character@TCharacter@CheckLetterOrDigit$qqr26Character@TUnicodeCategory.RTL120(00000000,5000FDD0), ref: 5000FD9B
                                                              • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,5000FDD0), ref: 5000FDA9
                                                              • @Character@TCharacter@CheckLetterOrDigit$qqr26Character@TUnicodeCategory.RTL120(00000000,5000FDD0), ref: 5000FDAE
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@Unicode$System@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$CategoryCheckDigit$qqr26Letter$Asg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 4166249876-0
                                                              • Opcode ID: 40ee31226fb4796293f06ddc81e8dbef87543a4be0e7f81b875c0f28c5afefb1
                                                              • Instruction ID: 7e8255dbcbdf30cf2898f3883974bde59dcb4dfa51a195c6f4f674c5af2fb4cd
                                                              • Opcode Fuzzy Hash: 40ee31226fb4796293f06ddc81e8dbef87543a4be0e7f81b875c0f28c5afefb1
                                                              • Instruction Fuzzy Hash: E531D330A001999BEF01DFA8E8A25BDB7F6AF54200F9042A7E940D7651D7709F45E781
                                                              Function 5000D350 Relevance: 18.1, APIs: 12, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 5000D365
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000D41B), ref: 5000D37C
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000D41B), ref: 5000D3A1
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5000D41B), ref: 5000D3B6
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,5000D41B), ref: 5000D3BF
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,5000D41B), ref: 5000D3C8
                                                              • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(00000000,00000000,5000D41B), ref: 5000D3D1
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,00000000,5000D41B), ref: 5000D3E2
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5000D41B), ref: 5000D3EE
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5000D41B), ref: 5000D3F8
                                                              • @System@@LStrClr$qqrpv.RTL120(5000D422), ref: 5000D415
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$String$AnsiAsg$qqrr20Stringx20System@%$FromLength$qqrr20Str$qqrr27StringiStringusT$us$i0$%x20$Char$qqrx20Char$qqrx27Clr$qqrpvInternalRef$qqrpvT$us$i0$%Unicode$qqrpbuipcuiUtf8
                                                              • String ID:
                                                              • API String ID: 4232215533-0
                                                              • Opcode ID: ad4d0f6f34169782e74c51b16991eb8d356e2d98f7b635619e335aac60af7289
                                                              • Instruction ID: 3b1bd491e4cd28c8667a27129fb9a09298fa26f3dbe235ab3b7280bbe119c3e9
                                                              • Opcode Fuzzy Hash: ad4d0f6f34169782e74c51b16991eb8d356e2d98f7b635619e335aac60af7289
                                                              • Instruction Fuzzy Hash: FE218034B01689ABEB00DBB8D9A299EB7F9EF58200BD04677A104D7251DB70DF42C691
                                                              Function 5000D268 Relevance: 18.1, APIs: 12, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 5000D27D
                                                              • @System@@WStrClr$qqrpv.RTL120(00000000,5000D32F), ref: 5000D292
                                                                • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000D32F), ref: 5000D2B7
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120(00000000,5000D32F), ref: 5000D2CC
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,5000D32F), ref: 5000D2D5
                                                              • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(00000000,00000000,00000000,5000D32F), ref: 5000D2DE
                                                              • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(00000000,00000000,5000D32F), ref: 5000D2E7
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120(00000000,00000000,5000D32F), ref: 5000D2F8
                                                              • @System@@WStrClr$qqrpv.RTL120(00000000,00000000,5000D32F), ref: 5000D302
                                                              • @System@@WStrAsg$qqrr17System@WideStringx17System@WideString.RTL120(00000000,00000000,5000D32F), ref: 5000D30C
                                                              • @System@@WStrClr$qqrpv.RTL120(5000D336), ref: 5000D321
                                                              • @System@@LStrClr$qqrpv.RTL120(5000D336), ref: 5000D329
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$String$Wide$Clr$qqrpv$AnsiSystem@%$FromLength$qqrr17Str$qqrr27StringiStringusT$us$i0$%x20Unicode$Asg$qqrr17Char$qqrx17Char$qqrx27FreeInternalRef$qqrpvStringx17T$us$i0$%Unicode$qqrpbuipcuiUtf8
                                                              • String ID:
                                                              • API String ID: 4137807012-0
                                                              • Opcode ID: 9d99f426a5258040bba127735ebeabb60f29094ae9e6efebe0269d1dc8d28938
                                                              • Instruction ID: fe8e2a62b9cd70ac692412814637c9b7d703ad39900a8dd57bf602c3009e5012
                                                              • Opcode Fuzzy Hash: 9d99f426a5258040bba127735ebeabb60f29094ae9e6efebe0269d1dc8d28938
                                                              • Instruction Fuzzy Hash: CF215034A01688ABEB01DBE5D9A199DB7F8EF58200BD04277A500E7251DB70DF419795
                                                              Function 50026498 Relevance: 18.1, APIs: 12, Instructions: 58filewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@ExceptionErrorMessage$qqrp14System@TObjectpvpbi.RTL120(00000800), ref: 500264B1
                                                                • Part of subcall function 500262D0: VirtualQuery.KERNEL32(?,?,0000001C,00000000,5002647C), ref: 50026303
                                                                • Part of subcall function 500262D0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026327
                                                                • Part of subcall function 500262D0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026342
                                                                • Part of subcall function 500262D0: @Sysutils@AnsiStrRScan$qqrpbb.RTL120(?,?,00000105), ref: 50026366
                                                                • Part of subcall function 500262D0: @Sysutils@StrLCopy$qqrpbpxbui.RTL120(?,?,00000105), ref: 5002637B
                                                                • Part of subcall function 500262D0: @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(?,?,00000105), ref: 50026392
                                                                • Part of subcall function 500262D0: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000105), ref: 5002639E
                                                                • Part of subcall function 500262D0: @Sysutils@StrLen$qqrpxb.RTL120(?,?,00000105), ref: 500263A7
                                                                • Part of subcall function 500262D0: @System@FindResourceHInstance$qqrui.RTL120(0000FFD6,?,00000100,?,?,00000105), ref: 500263D7
                                                                • Part of subcall function 500262D0: LoadStringW.USER32(00000000,0000FFD6,?,00000100), ref: 500263DD
                                                                • Part of subcall function 500262D0: @System@TObject@ClassName$qqrv.RTL120(?,?,00000105), ref: 500263EA
                                                                • Part of subcall function 500262D0: @Sysutils@StrLFmt$qqrpbuit1px14System@TVarRecxi.RTL120(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,00000105), ref: 50026454
                                                              • @System@Flush$qqrr15System@Textfile.RTL120(00000800), ref: 500264C5
                                                              • @System@@_IOTest$qqrv.RTL120(00000800), ref: 500264CA
                                                              • CharToOemW.USER32(?,?), ref: 500264DF
                                                              • @Sysutils@StrLen$qqrpxc.RTL120(?,00000000,00000800), ref: 500264F2
                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000800), ref: 50026502
                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000800), ref: 50026508
                                                              • GetStdHandle.KERNEL32(000000F4,50026578,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000800), ref: 5002651D
                                                              • WriteFile.KERNEL32(00000000,000000F4,50026578,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000800), ref: 50026523
                                                              • @System@FindResourceHInstance$qqrui.RTL120(0000FFD7,?,00000040,00000800), ref: 5002653F
                                                              • LoadStringW.USER32(00000000,0000FFD7,?,00000040), ref: 50026545
                                                              • MessageBoxW.USER32(00000000,?,?,00002010), ref: 5002655E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Sysutils@$File$String$ClassFindHandleInstance$qqruiLoadModuleNameResourceSystem@@Write$AnsiCharChar$qqrx20Class$qqrp14Copy$qqrpbpxbuiErrorExceptionFlush$qqrr15Fmt$qqrpbuit1px14Len$qqrpxbLen$qqrpxcMessageMessage$qqrp14MetaName$qqrvObject@Objectp17ObjectpvpbiQueryRecxiScan$qqrpbbSystem@@_Test$qqrvTextfileUnicodeVirtual
                                                              • String ID:
                                                              • API String ID: 682148156-0
                                                              • Opcode ID: f56c95302a1c536e387dbb5fa9a6a78a2f0151cc5fefaab932fbb0d1fae44bcc
                                                              • Instruction ID: f4590949c087f8aafe1dbb2c7c4ba6b3c2bf3514901ac64eb4a44afc2398d7eb
                                                              • Opcode Fuzzy Hash: f56c95302a1c536e387dbb5fa9a6a78a2f0151cc5fefaab932fbb0d1fae44bcc
                                                              • Instruction Fuzzy Hash: 001194715456C17AF320DBE0EC56FDB73DC6B24310F808B16B298D60E2DE34E64487A2
                                                              Function 5001138C Relevance: 16.6, APIs: 11, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500114E2), ref: 500113BB
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 500113D8
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 50011410
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,500114E2), ref: 50011441
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500114E2), ref: 50011446
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 50011463
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 5001148D
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 500114AC
                                                              • @Character@TCharacter@IsSurrogatePair$qqrxbxb.RTL120(00000000,500114E2), ref: 500114BC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20Pair$qqrxbxbRaiseRecpx14RecxiStringx20SurrogateSysutils@
                                                              • String ID:
                                                              • API String ID: 1194877190-0
                                                              • Opcode ID: a9b30fe3f2403a0302ec5bf63648d9ce3e1555fb2ec83c40806ccb76183649ed
                                                              • Instruction ID: 5b2fcd8ece5833fd3d9f2a349bbedbb4582ae67bb33aebb72d879f9c31b886ea
                                                              • Opcode Fuzzy Hash: a9b30fe3f2403a0302ec5bf63648d9ce3e1555fb2ec83c40806ccb76183649ed
                                                              • Instruction Fuzzy Hash: 9E419D30A00289ABDF15DFA8ED81AEEB7F5EF44700F5442A6E940D7245E774EE81C790
                                                              Function 500244D8 Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                • Part of subcall function 500243A4: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                                • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50024620), ref: 50024537
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50024620), ref: 5002454D
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50024620), ref: 5002455D
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50024620), ref: 5002457A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50024620), ref: 500245A2
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000000,50024620), ref: 500245B6
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,?,00000000,50024620), ref: 500245C0
                                                              • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,00000000,50024620), ref: 500245CD
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000400,00000001,00000000,?,00000000,?,?,00000000,50024620), ref: 500245F1
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Char$qqrx20EnsureString$qqrr20$Asg$qqrr20CompareCopy$qqrx20Len$qqrx20StringiiStringx20
                                                              • String ID:
                                                              • API String ID: 4220554184-0
                                                              • Opcode ID: 96b5e629e91b5904e2abc59b103f2b6dd95f87f350b544be9f16c5b7b18ccc62
                                                              • Instruction ID: 0917f6d901124ccc03c99a1b7cbd9fd473add03b710357cd351074ee3f025ca5
                                                              • Opcode Fuzzy Hash: 96b5e629e91b5904e2abc59b103f2b6dd95f87f350b544be9f16c5b7b18ccc62
                                                              • Instruction Fuzzy Hash: 7F41C530A016969FDF41DFB8E951A9EF7F9EF84200F504266E940D7246D770DE41C741
                                                              Function 5002A640 Relevance: 16.6, APIs: 11, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@GetModuleName$qqrui.RTL120(00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A67B
                                                              • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A686
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6A3
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6B2
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6B7
                                                              • @System@UTF8ToString$qqrpxcxi.RTL120(?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6E5
                                                              • @Sysutils@StrLen$qqrpxc.RTL120(?,?,?,00000003,00000000,00000000), ref: 5002A6F7
                                                              • @System@UTF8ToString$qqrpxcxi.RTL120(?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A720
                                                              • @Sysutils@StrLen$qqrpxc.RTL120(?,?,?,00000003,00000000,00000000), ref: 5002A733
                                                              • @System@UTF8ToString$qqrpxcxi.RTL120(?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A758
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Sysutils@$String$qqrpxcxi$Len$qqrpxcStringUnicode$Except$qqrvException@$bctr$qqrx20ExtractFileLoadModuleName$qqruiName$qqrx20RaiseRecxiString$qqrp20Stringpx14System@@
                                                              • String ID:
                                                              • API String ID: 1154392791-0
                                                              • Opcode ID: 3dce76c8eb215aedfc1eb9f086bf8e2351b8edb69d44172689399a892dcc44c1
                                                              • Instruction ID: 490cf656cc89e769677ed1d8ac02a07099c920838aaedf4d8d0b1e3e7b1f0adf
                                                              • Opcode Fuzzy Hash: 3dce76c8eb215aedfc1eb9f086bf8e2351b8edb69d44172689399a892dcc44c1
                                                              • Instruction Fuzzy Hash: FF41D474A0168A9FDB04CF94DC91ADEB7F4EF18304F40467AE905E7241EA34AE05CBA0
                                                              Function 50011698 Relevance: 16.6, APIs: 11, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500117DF), ref: 500116C6
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500117DF), ref: 500116E3
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500117DF), ref: 5001171B
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,500117DF), ref: 5001174C
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500117DF), ref: 50011751
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500117DF), ref: 5001176E
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,500117DF), ref: 5001177A
                                                              • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,500117DF), ref: 50011788
                                                              • @Character@TCharacter@IsAscii$qqrb.RTL120(00000000,500117DF), ref: 50011798
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$Character@StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Ascii$qqrbAsg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 1016462649-0
                                                              • Opcode ID: e1c3648808a7966ff7b4d89349605bd0866a16b14a5e335949c975cf6d57a822
                                                              • Instruction ID: d8a2c921cb0381c3f4e4b64832713658ab93ef8ffd1cbe9df7beed8a80b09d51
                                                              • Opcode Fuzzy Hash: e1c3648808a7966ff7b4d89349605bd0866a16b14a5e335949c975cf6d57a822
                                                              • Instruction Fuzzy Hash: D541E234A081899FDF15DFA8EC816EDB7F5AF04200F5842A6E540E7391E7749E86C791
                                                              Function 50010ADC Relevance: 16.6, APIs: 11, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010C23), ref: 50010B0A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010C23), ref: 50010B27
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010C23), ref: 50010B5F
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50010C23), ref: 50010B90
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50010C23), ref: 50010B95
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010C23), ref: 50010BB2
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,50010C23), ref: 50010BBE
                                                              • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,50010C23), ref: 50010BCC
                                                              • @Character@TCharacter@IsAscii$qqrb.RTL120(00000000,50010C23), ref: 50010BDC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$Character@StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Ascii$qqrbAsg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 1016462649-0
                                                              • Opcode ID: 055fdcc4fd2cb603ec54a412d362998b8024ac72caa7866e3aaa1dae6ff76cc5
                                                              • Instruction ID: e0cb8508ea0ee3c123a5ca94656853c590a1bcf096955fea472a91734319ba04
                                                              • Opcode Fuzzy Hash: 055fdcc4fd2cb603ec54a412d362998b8024ac72caa7866e3aaa1dae6ff76cc5
                                                              • Instruction Fuzzy Hash: 2041C334A042899BDF11DFA8EC815EFB7F5AF44304F5043A6E980E7256D7B49E85D780
                                                              Function 50011878 Relevance: 16.6, APIs: 11, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500119B9), ref: 500118A6
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500119B9), ref: 500118C3
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500119B9), ref: 500118FB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,500119B9), ref: 5001192C
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500119B9), ref: 50011931
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500119B9), ref: 5001194E
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,500119B9), ref: 5001195A
                                                              • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,500119B9), ref: 50011992
                                                              • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120(00000000,500119B9), ref: 50011997
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$Character@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20CategoryCategory$qqrx20CheckExcept$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiSeparator$qqr26StringiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 2188507345-0
                                                              • Opcode ID: 85115377bf31bf0ae937a71f4f08936809c5e55ff9e9a0035250b4a8e60bbdc2
                                                              • Instruction ID: 70db1d6cf51ae63cbd989f7e97dabe6d18dd781c46a6f130b903eaa5e37548f1
                                                              • Opcode Fuzzy Hash: 85115377bf31bf0ae937a71f4f08936809c5e55ff9e9a0035250b4a8e60bbdc2
                                                              • Instruction Fuzzy Hash: B531A030A00289ABEF15DFA4ECA16EDB7F9EF45300F984266E950D7241EB709EC1D791
                                                              Function 5001113C Relevance: 16.6, APIs: 11, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011268), ref: 5001116A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011268), ref: 50011187
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011268), ref: 500111BF
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50011268), ref: 500111F0
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50011268), ref: 500111F5
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011268), ref: 50011212
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,50011268), ref: 5001121E
                                                              • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,50011268), ref: 5001122C
                                                              • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120(00000000,50011268), ref: 50011231
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$Character@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20CategoryCategory$qqrx20CheckExcept$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiSeparator$qqr26StringiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 2188507345-0
                                                              • Opcode ID: 8add54bfcd6dd47ba13f697dc763ddc4121468a9bd01c1802535063be17968c9
                                                              • Instruction ID: 5ac73815b234001b978d6f963799290576de029f4385e846c2353e19faa8a449
                                                              • Opcode Fuzzy Hash: 8add54bfcd6dd47ba13f697dc763ddc4121468a9bd01c1802535063be17968c9
                                                              • Instruction Fuzzy Hash: E831E130A00289ABDF05DFA4EC916EEB7F5EF55200F5442A6EA00E7641D7709E82C781
                                                              Function 5002DC38 Relevance: 16.6, APIs: 11, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002DC60
                                                                • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                              • @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002DC65
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DC88
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DC8D
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCB0
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCB5
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002DCBC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCE1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCE6
                                                              • @Sysutils@TEncoding@GetCharCount$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,?,?), ref: 5002DCF3
                                                              • @System@@DynArraySetLength$qqrv.RTL120(?,?,?,?), ref: 5002DD0D
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$RaiseStringSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$ArrayLength$qqrv$AfterArray$tuc%iiCharClassClassoConstruction$qqrp14Count$qqrx25Create$qqrp17DynamicEncoding@Error$qqrucList$qqrvLoadMetaObjectString$qqrp20System@%
                                                              • String ID:
                                                              • API String ID: 599856924-0
                                                              • Opcode ID: 39a4f14e8c5afb2c123811a7d51c8647724a787ebbbc59abf295d9c5b720c570
                                                              • Instruction ID: 0309c5079e81be2084f52493be9e10f0a15843ad46e8c2d9995aaba0ab869005
                                                              • Opcode Fuzzy Hash: 39a4f14e8c5afb2c123811a7d51c8647724a787ebbbc59abf295d9c5b720c570
                                                              • Instruction Fuzzy Hash: A3319371A05586ABDB00DFD8ECD1BAEB7B9BB58304F50826AF904D7352CB71AD01CB90
                                                              Function 5002B33C Relevance: 16.6, APIs: 11, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B37F
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B391
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3A1
                                                              • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3A9
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3C6
                                                              • @System@@DynArraySetLength$qqrv.RTL120(00000001,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3DB
                                                              • @System@@DynArrayHigh$qqrv.RTL120 ref: 5002B3E6
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5002B408
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5002B416
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$ArrayStringStringx20$Asg$qqrr20Length$qqrv$Cat3$qqrr20Char$qqrr20Copy$qqrx20FromHigh$qqrvInt$qqrx20StringiiStringpbStringt2Sysutils@
                                                              • String ID:
                                                              • API String ID: 2891979734-0
                                                              • Opcode ID: 62cae7c73cfc9a71c568ecde9f2d99c8dca23b157ec7d973969221ac07eb201c
                                                              • Instruction ID: 33f49da7cf7d534711dd3b735e4964b946f028d1e955376cf8d5b37d4a493396
                                                              • Opcode Fuzzy Hash: 62cae7c73cfc9a71c568ecde9f2d99c8dca23b157ec7d973969221ac07eb201c
                                                              • Instruction Fuzzy Hash: CB313274A01189DBEB00EF94E991AAEB7B8EF44300F508276E9059B356DB34EE45CB90
                                                              Function 50030940 Relevance: 16.6, APIs: 11, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,50030A24), ref: 500309A6
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,00000000,50030A24), ref: 500309A1
                                                                • Part of subcall function 500265E8: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                                • Part of subcall function 500265E8: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                                • Part of subcall function 500265E8: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,00000000,50030A24), ref: 50030992
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030A24), ref: 50030975
                                                                • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                                • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                                • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                              • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030A24), ref: 500309B2
                                                              • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030A24), ref: 500309C6
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000001,?,00000000,50030A24), ref: 500309E3
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000001,?,00000000,50030A24), ref: 500309F2
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50030A24), ref: 500309F7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$Stringx20$LoadRaiseRecxiStringpx14Sysutils@Text$qqrxusTypeVariants@$Asg$qqrr20Cat3$qqrr20Except$qqrvException@$bctr$qqrx20String$qqrp20Stringt2$CharClassClassoCreate$qqrp17Error$qqrucFindFormat$qqrx20FromInstance$qqruiLen$qqrr20List$qqrvMetaResourceStringpbi
                                                              • String ID:
                                                              • API String ID: 3925043654-0
                                                              • Opcode ID: 131c35e12c0e8e47e1fde943e8facb4ce90f3ede14ba4413e4a48e2dfa573d87
                                                              • Instruction ID: 4ca92997f7d99f258bade771785e71a5bab742ac08337daf03ab8f9c2463306d
                                                              • Opcode Fuzzy Hash: 131c35e12c0e8e47e1fde943e8facb4ce90f3ede14ba4413e4a48e2dfa573d87
                                                              • Instruction Fuzzy Hash: 11212A749056888FEB05CBE8E891AEEB7F5EB58300F40866AE904A3341D7749A058BA1
                                                              Function 50016084 Relevance: 15.2, APIs: 10, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 500160A1
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500160F4
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 50016157
                                                              • CharUpperBuffA.USER32(?,00000100), ref: 500161CB
                                                              • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL120(?,00000100), ref: 500161D3
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(?,00000100), ref: 500161F4
                                                              • CharUpperBuffA.USER32(00000000,?,?,00000100), ref: 50016204
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 50016266
                                                              • @System@@EnsureAnsiString$qqrr27System@%AnsiStringT$us$i0$%us.RTL120 ref: 500162A8
                                                              • @System@@LStrClr$qqrpv.RTL120(50016309), ref: 500162FC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiString$System@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Internal$BuffCharUpper$A$qqrr27Clr$qqrpvEnsureRef$qqrpvString$qqrr27T$us$i0$%T$us$i0$%usUnique
                                                              • String ID:
                                                              • API String ID: 3754126448-0
                                                              • Opcode ID: 1ff42b0232398fc2689e3e5e0853df67aac0a3a8058dbe02572faacc32753696
                                                              • Instruction ID: 7aeabf7012fadaf89375e13735e907e93f1881e5daf33cb3c72b493a73839c93
                                                              • Opcode Fuzzy Hash: 1ff42b0232398fc2689e3e5e0853df67aac0a3a8058dbe02572faacc32753696
                                                              • Instruction Fuzzy Hash: A9718B30A042989FDB25CF68DC917D9B7F5AF45300F5082A6EA58DB242D7B1DEC4CB94
                                                              Function 500163C4 Relevance: 15.2, APIs: 10, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 50016423
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 50016472
                                                              • @System@@UniqueStringU$qqrr20System@UnicodeString.RTL120(00000000,500165BA), ref: 500164B2
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 500164D1
                                                              • CharUpperBuffW.USER32(00000000,?,00000000,500165BA), ref: 500164E1
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 50016536
                                                              • @Character@TCharacter@IsLetterOrDigit$qqrb.RTL120(00000000,500165BA), ref: 50016561
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,500165BA), ref: 5001656F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringUnicode$System@System@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$BuffCharDigit$qqrbEnsureLetterString$qqrr20U$qqrr20UniqueUpper
                                                              • String ID:
                                                              • API String ID: 725871508-0
                                                              • Opcode ID: aee2499e3083b8a89e48e94aaf61e96d8fcfb8174b222e99395ef528110b3ede
                                                              • Instruction ID: 371616eb350b96e3d621023fbff1a77728028cc82446cf9de742119a6f8d3487
                                                              • Opcode Fuzzy Hash: aee2499e3083b8a89e48e94aaf61e96d8fcfb8174b222e99395ef528110b3ede
                                                              • Instruction Fuzzy Hash: B6616E30A0128A9FDF01CFA8DD816AEB7F6EF44314F608266E904EB255D770DE81CB90
                                                              Function 5000A6D4 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A88E), ref: 5000A716
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@DynArraySetLength$qqrv.RTL120(?,00000000,5000A88E), ref: 5000A736
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A75D
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A78A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A7C4
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120 ref: 5000A83E
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120 ref: 5000A843
                                                              • @System@@DynArraySetLength$qqrv.RTL120(00000001), ref: 5000A870
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$Unicode$StringSystem@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$ArrayLength$qqrv$EnsureLen$qqrx20String$qqrr20
                                                              • String ID:
                                                              • API String ID: 4245238830-0
                                                              • Opcode ID: af8f6a36bebf27765a23cdc18af7a898d4f77c15dba28067d957638e5394ac34
                                                              • Instruction ID: 6d2edc206bd9f8d921c39b7a1cc1f24274515dbb8e96becc019c4f36c3429797
                                                              • Opcode Fuzzy Hash: af8f6a36bebf27765a23cdc18af7a898d4f77c15dba28067d957638e5394ac34
                                                              • Instruction Fuzzy Hash: 4A518F30E0525ADFEB01DFA8C991AAEB7F1FF45300FA082B5D545A7251E774AE81CB80
                                                              Function 5002C4DC Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C518
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @Sysutils@TStringBuilder@set_Length$qqri.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C52D
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C54A
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C572
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C59B
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C5B8
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C5D7
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C5F1
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$String$AnsiFromStr$qqrr20Stringx27System@%System@@T$us$i0$%Unicode$Internal$Move$qqrpxvpvi$Builder@set_Length$qqriSysutils@
                                                              • String ID:
                                                              • API String ID: 2984213798-0
                                                              • Opcode ID: d771aad7a1874d2db2ddaa5cfad2ceeff1fee016059b6d5b291e9fd79e2b5735
                                                              • Instruction ID: 068b442feed892b016037b59c515b6d51b768309edcd7f6c8bd425563627ec90
                                                              • Opcode Fuzzy Hash: d771aad7a1874d2db2ddaa5cfad2ceeff1fee016059b6d5b291e9fd79e2b5735
                                                              • Instruction Fuzzy Hash: 4141BE30701586DF9F11DF78EA8196DB7F6EF8421076483A5E505DB209EB70EE81DB80
                                                              Function 50010060 Relevance: 15.1, APIs: 10, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001018B), ref: 5001008E
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001018B), ref: 500100AB
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001018B), ref: 500100E3
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5001018B), ref: 50010114
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5001018B), ref: 50010119
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001018B), ref: 50010136
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,5001018B), ref: 50010142
                                                              • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,5001018B), ref: 50010150
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$AnsiCharacter@FromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 1528459219-0
                                                              • Opcode ID: b698632cdc252e54ea1ec76e779071d0cec8955af3992b6e9722cf331ee822e6
                                                              • Instruction ID: a458a4b14fff98353ea6486d6640c8d5f1fac8ee108cf368196165f92ca042b4
                                                              • Opcode Fuzzy Hash: b698632cdc252e54ea1ec76e779071d0cec8955af3992b6e9722cf331ee822e6
                                                              • Instruction Fuzzy Hash: 5931B234A00289ABDF12DFA4DC916AFB7F5AF48300F5042A6E580A7251D7B59EC6C781
                                                              Function 5002D3D8 Relevance: 15.1, APIs: 10, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@TEncoding@GetUnicode$qqrv.RTL120(00000000,5002D4CE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D402
                                                                • Part of subcall function 5002DF70: @Sysutils@TUnicodeEncoding@$bctr$qqrv.RTL120(00000000,?,5002D407,00000000,5002D4CE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002DF82
                                                                • Part of subcall function 5002DF70: InterlockedCompareExchange.KERNEL32(500A6CA4,00000000,00000000), ref: 5002DF92
                                                                • Part of subcall function 5002DF70: @System@TObject@Free$qqrv.RTL120(00000000,?,5002D407,00000000,5002D4CE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002DF9D
                                                                • Part of subcall function 5002D37C: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D38D
                                                                • Part of subcall function 5002D37C: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D396
                                                                • Part of subcall function 5002D37C: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D3A1
                                                              • @Sysutils@TEncoding@GetUnicode$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D41D
                                                              • @Sysutils@TEncoding@GetBigEndianUnicode$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D426
                                                              • @Sysutils@TEncoding@GetBigEndianUnicode$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D441
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D482
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D4A6
                                                              • @System@@FinalizeArray$qqrpvt1ui.RTL120(5002D4D5,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D4C8
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$ArrayLength$qqrvSysutils@$Encoding@Unicode$qqrv$Endian$Array$qqrpvt1uiCompareEncoding@$bctr$qqrvExchangeFinalizeFree$qqrvInterlockedObject@System@Unicode
                                                              • String ID:
                                                              • API String ID: 84035370-0
                                                              • Opcode ID: adccd838f023833192a6ea8ef32ba18dfceb28250b807702a089e8f6cb3e4738
                                                              • Instruction ID: 039153d2115dfd61d257ebf5085e828ad7449732c8b2836f1213e2f1a0251a10
                                                              • Opcode Fuzzy Hash: adccd838f023833192a6ea8ef32ba18dfceb28250b807702a089e8f6cb3e4738
                                                              • Instruction Fuzzy Hash: 7E31AC745029869FDB04FFA0F49156DB3B5EF99310B2042A7F8019B355DB30AD03DAE2
                                                              Function 5002BA88 Relevance: 15.1, APIs: 10, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002BB82), ref: 5002BAC9
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002BB82), ref: 5002BAF8
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002BB82), ref: 5002BAFD
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002BB82), ref: 5002BB20
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002BB82), ref: 5002BB25
                                                              • @Sysutils@TStringBuilder@set_Length$qqri.RTL120(00000000,5002BB82), ref: 5002BB31
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002BB82), ref: 5002BB4E
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,5002BB82), ref: 5002BB67
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$String$System@@$AnsiFromStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%Unicode$Except$qqrvException@$bctr$qqrp20InternalRaiseRecpx14Recxi$Builder@set_Length$qqriMove$qqrpxvpvi
                                                              • String ID:
                                                              • API String ID: 2643269361-0
                                                              • Opcode ID: 0708b84ccf3e92e627d5ed3dd2509e173c6bcd433ac113f8520e2423efd052c3
                                                              • Instruction ID: 9b41787f5445ca965e8b445f3d3e889d29c8efd9642bd8e15586ab18e8b0b9b5
                                                              • Opcode Fuzzy Hash: 0708b84ccf3e92e627d5ed3dd2509e173c6bcd433ac113f8520e2423efd052c3
                                                              • Instruction Fuzzy Hash: 1931A430A011869FDB11DFA8ED91AADB7F9EF94304F54C2A6E50097256DB70EE04CBD0
                                                              Function 500275A0 Relevance: 15.1, APIs: 10, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50027676), ref: 500275C8
                                                              • @System@UniqueString$qqrr20System@UnicodeString.RTL120(00000000,50027676), ref: 500275D0
                                                                • Part of subcall function 5000AAF8: @System@@NewUnicodeString$qqri.RTL120(?,5000A544), ref: 5000AAC6
                                                                • Part of subcall function 5000AAF8: @System@Move$qqrpxvpvi.RTL120(00000000,?,5000A544), ref: 5000AAD7
                                                                • Part of subcall function 5000AAF8: @System@@FreeMem$qqrpv.RTL120(?,5000A544), ref: 5000AAEC
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50027676), ref: 500275DC
                                                              • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,50027676), ref: 500275E2
                                                              • @System@@GetMem$qqri.RTL120(00000000,?,00000000,50027676), ref: 500275EF
                                                                • Part of subcall function 50003FB0: @System@SysGetMem$qqri.RTL120 ref: 50003FB4
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027611
                                                              • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027617
                                                              • VerQueryValueW.VERSION(?,50027688,?,?,00000000,?,00000000,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027631
                                                              • @System@@FreeMem$qqrpv.RTL120(50027660,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027653
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$Unicode$String$Char$qqrx20FileFreeInfoMem$qqriMem$qqrpvVersion$Asg$qqrr20Move$qqrpxvpviQuerySizeString$qqriString$qqrr20Stringx20UniqueValue
                                                              • String ID:
                                                              • API String ID: 3340374955-0
                                                              • Opcode ID: dddfb272de7c6e7c87dd35fe2d24d2a7e29585c5b1d1b6a14b8fcc4ff7acbc84
                                                              • Instruction ID: 20c290cfac2a6ec53872fbffc8a20628a873dcac3785a9ff7ef993043faeba55
                                                              • Opcode Fuzzy Hash: dddfb272de7c6e7c87dd35fe2d24d2a7e29585c5b1d1b6a14b8fcc4ff7acbc84
                                                              • Instruction Fuzzy Hash: 69215871A0568AAFDB01DFE9ED51C6EB7FCEF49200B914672B504E3251D734AE04C690
                                                              Function 50034A34 Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@WStrClr$qqrpv.RTL120(00000000,50034AEC,?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034A53
                                                                • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034A72
                                                              • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034A8F
                                                              • @Sysutils@LowerCase$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034A9A
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034AA4
                                                              • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034AB0
                                                              • @Sysutils@UpperCase$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034ABB
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034AC5
                                                              • @Variants@VarInvalidOp$qqrv.RTL120(?,?,?,00000000,00000000,00000000,00000000,?,50035965,?,?,?,?), ref: 50034ACC
                                                                • Part of subcall function 500307FC: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030846,?,00000000), ref: 50030817
                                                                • Part of subcall function 500307FC: @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030846,?,00000000), ref: 50030826
                                                                • Part of subcall function 500307FC: @System@@RaiseExcept$qqrv.RTL120(00000000,50030846,?,00000000), ref: 5003082B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$String$Unicode$System@@$FromWide$Sysutils@$Case$qqrx20Str$qqrr17Str$qqrr20Stringx17Stringx20Variants@$Check$qqrlususClr$qqrpvExcept$qqrvException@$bctr$qqrx20FreeInvalidLoadLowerOp$qqrvRaiseResultString$qqrp20Upper
                                                              • String ID:
                                                              • API String ID: 1787277866-0
                                                              • Opcode ID: 1fcb6342362c8eb2675f5850fad802939ed4ea52e9e2d599269feaa4d86d904b
                                                              • Instruction ID: 28ee5e0d826e7c4dbe94008d08a8dd18efc8e78135a813a0b291ff3b53295a70
                                                              • Opcode Fuzzy Hash: 1fcb6342362c8eb2675f5850fad802939ed4ea52e9e2d599269feaa4d86d904b
                                                              • Instruction Fuzzy Hash: FC11E270640585AFEF01EBA4DCA2DEEB3A8EF45200F908776B900EB651D6B0BD0587D6
                                                              Function 50006ADC Relevance: 15.0, APIs: 10, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@TObject@ClassName$qqrv.RTL120(00000000,50006B69), ref: 50006B08
                                                                • Part of subcall function 50006AC4: @System@UTF8ToString$qqrrx28System@%SmallString$iuc$255%.RTL120 ref: 50006AD1
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50006B69), ref: 50006B10
                                                                • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50006B69), ref: 50006B15
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,50006B69), ref: 50006B1E
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,00000000,00000000,50006B69), ref: 50006B27
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,50006B69), ref: 50006B2C
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,00000000,50006B69), ref: 50006B35
                                                              • CompareStringW.KERNEL32(?,00000001,00000000,00000000,00000000,00000000,00000000,50006B69), ref: 50006B43
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$String$System@@$Char$qqrx20EnsureLen$qqrx20String$qqrr20System@%$AnsiClassCompareFromInternalName$qqrvObject@SmallStr$qqrr20String$iuc$255%String$qqrrx28Stringx27T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 2698194505-0
                                                              • Opcode ID: 7a18ea293cba9f4f732223db10a86afe3026c92dbc0af962d2106ebeff8d67eb
                                                              • Instruction ID: 07edf7bba6b7798c112338542bf63ced82e12cf919ecdcd04dcacc31e71116a0
                                                              • Opcode Fuzzy Hash: 7a18ea293cba9f4f732223db10a86afe3026c92dbc0af962d2106ebeff8d67eb
                                                              • Instruction Fuzzy Hash: 9D017174505288AFEB10EBE4EC6299EB7BCEF59310F904677B404E3652DB30AA009696
                                                              Function 50014BAC Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 500123E4: @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(?,500145C0), ref: 500123F0
                                                                • Part of subcall function 500123E4: @System@@RaiseExcept$qqrv.RTL120(?,500145C0), ref: 500123F5
                                                              • @System@Exp$qqrxg.RTL120 ref: 50014D27
                                                              • @Math@LnXP1$qqrxg.RTL120(?,?,?), ref: 50014D6E
                                                              • @System@Exp$qqrxg.RTL120 ref: 50014D7C
                                                              • @System@Exp$qqrxg.RTL120(?,?,?), ref: 50014D9B
                                                              • @System@Ln$qqrxg.RTL120 ref: 50014E8F
                                                              • @System@Exp$qqrxg.RTL120(?,?,?), ref: 50014F05
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Exp$qqrxg$Except$qqrvException@$bctr$qqrx20Ln$qqrxgMath@P1$qqrxgRaiseStringSystem@@Sysutils@Unicode
                                                              • String ID: InterestRate
                                                              • API String ID: 309294142-3580794093
                                                              • Opcode ID: 124f8ed047251f2e0df9bb2f8c7ea5488eeba9d01d2cc3390b6a8d904b7b764a
                                                              • Instruction ID: d6d9cfc9d9be970d20f1fa582e04d4b86400008520249d3d5693622e2192696a
                                                              • Opcode Fuzzy Hash: 124f8ed047251f2e0df9bb2f8c7ea5488eeba9d01d2cc3390b6a8d904b7b764a
                                                              • Instruction Fuzzy Hash: D7C19660E091AD9ADF619BF4DC546CDBFB0FF05A00F15469BE8E8B3256E63249A1CF40
                                                              Function 50025C2C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetThreadLocale.KERNEL32(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025C48
                                                                • Part of subcall function 50025BF0: @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?), ref: 50025C0C
                                                                • Part of subcall function 50025BF0: @System@LoadResString$qqrp20System@TResStringRec.RTL120 ref: 50025C1E
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025C7D
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025CA0
                                                                • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025CEE
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025D13
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20Stringx20$Locale$FreeLoadMem$qqrpvMove$qqrpxvpviStr$qqriix20String$qqriString$qqrp20Sysutils@Thread
                                                              • String ID: ,lP$kP
                                                              • API String ID: 2884738061-2562396607
                                                              • Opcode ID: 1e640ef11e0d861ae4c35bea9addde5ea34473f93be08e639f16d76bd6c0e43e
                                                              • Instruction ID: 16dec81e5f93945b5e2b83e1c7f6ec167d3ec98a1fb52082471023d7d843a8a0
                                                              • Opcode Fuzzy Hash: 1e640ef11e0d861ae4c35bea9addde5ea34473f93be08e639f16d76bd6c0e43e
                                                              • Instruction Fuzzy Hash: 8131E871B411496BDB04CAC4EC91FBF73AADB98310F914627F905DB341DA39ED0183A5
                                                              Function 5001C4D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(00000000,5001C580), ref: 5001C503
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                • Part of subcall function 5001C3F4: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                                • Part of subcall function 5001C3F4: @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C580), ref: 5001C52A
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C580), ref: 5001C550
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,5001C580), ref: 5001C55D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@$Cat3$qqrr20Char$qqrx20Copy$qqrx20Delimiter$qqrx20LastScan$qqrpxbbStringiiStringt1Stringt2Stringx20
                                                              • String ID: .\:
                                                              • API String ID: 2717076658-496007442
                                                              • Opcode ID: a89fb4eec0d62e8afcb9bcc628ec571381857e07fc04220a90b3bcf355591fdb
                                                              • Instruction ID: d01c72174dcf2e075b5b8dd55ecc10e744eed8894acf6479d7133b6cc06a8146
                                                              • Opcode Fuzzy Hash: a89fb4eec0d62e8afcb9bcc628ec571381857e07fc04220a90b3bcf355591fdb
                                                              • Instruction Fuzzy Hash: 9B119330A00688EBDB04DFE9D89199DB3F9EF49310BA083B6E41093251EB70EF81DA40
                                                              Function 50005914 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,B",?,?,?,00000000), ref: 50005949
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,B",?,?,?,00000000), ref: 50005952
                                                              • MoveFileW.KERNEL32(00000000), ref: 50005958
                                                              • GetLastError.KERNEL32(00000000,?,00000000,B",?,?,?,00000000), ref: 5000597D
                                                              • @System@SetInOutRes$qqri.RTL120(00000000,?,00000000,B",?,?,?,00000000), ref: 50005982
                                                              • @System@SetInOutRes$qqri.RTL120(00000000,B",?,?,?,00000000), ref: 5000598E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Res$qqriSystem@@Unicode$Array$qqrr20Char$qqrx20ErrorFileFromLastMoveStringStringpbi
                                                              • String ID: B"
                                                              • API String ID: 3244090159-4078893311
                                                              • Opcode ID: 4a2eb7b6fd8b58eeb8d6c45eddf589e6c8aac0e0df426a6a7fc9b1bc2b78b412
                                                              • Instruction ID: df590b721be1972d76404118b1dd1283823992a997f97f748f899e6b97df8a74
                                                              • Opcode Fuzzy Hash: 4a2eb7b6fd8b58eeb8d6c45eddf589e6c8aac0e0df426a6a7fc9b1bc2b78b412
                                                              • Instruction Fuzzy Hash: 3601F5302056C5DAFB20EBA4D9B16AF72ECDF59222FD00A76F640D2112E6659E0081A5
                                                              Function 5001062C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                              • @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                • Part of subcall function 5002A908: GetLastError.KERNEL32(50010679,00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5002A908
                                                                • Part of subcall function 5002A908: @Sysutils@RaiseLastOSError$qqri.RTL120(50010679,00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5002A90D
                                                              • LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                              • @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                              • LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                              • @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Last$RaiseSysutils@$Error$qqrvResource$ErrorError$qqriFindLoadLock
                                                              • String ID: CHARTABLE$PkP
                                                              • API String ID: 2693630376-1680022972
                                                              • Opcode ID: 1eb605201eaa7e6766b98b1e00adbd3eb7b47462771e20d424d66e1f26d623af
                                                              • Instruction ID: cc429218ece2e4869d3c0890a31dc3911705f99bbb730b9440c9ee6bded52d1b
                                                              • Opcode Fuzzy Hash: 1eb605201eaa7e6766b98b1e00adbd3eb7b47462771e20d424d66e1f26d623af
                                                              • Instruction Fuzzy Hash: 9D0144B47517818FE71CDF94EDA099577F5BB98310B09862DE182D7761CB78D880CB60
                                                              Function 50008524 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38filewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF,?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000855D
                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF,?,?,?,?,?,?,500086BE,500041BB), ref: 50008563
                                                              • GetStdHandle.KERNEL32(000000F5,500085B0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF), ref: 50008578
                                                              • WriteFile.KERNEL32(00000000,000000F5,500085B0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF), ref: 5000857E
                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 5000859C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileHandleWrite$Message
                                                              • String ID: 0CP$Error$Runtime error at 00000000
                                                              • API String ID: 1570097196-3976705077
                                                              • Opcode ID: c7f65587848cdab12b096d8458637050e43fc9a3475b859aec640a5b1c1ffc15
                                                              • Instruction ID: 13760cef71b14ba24bdf52ca3db3f2b841d9a020471f696476a3b083ba67eecc
                                                              • Opcode Fuzzy Hash: c7f65587848cdab12b096d8458637050e43fc9a3475b859aec640a5b1c1ffc15
                                                              • Instruction Fuzzy Hash: 14F0F652901AC0BAFA1093D06C62FC535989BA0A29FD8470AF650690D2E77445C49722
                                                              Function 5001B598 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@DynArrayLength$qqrv.RTL120(5001B7D4), ref: 5001B59D
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5001B5CA
                                                              • @System@@DynArraySetLength$qqrv.RTL120(00000001,5001B7D4), ref: 5001B5B8
                                                                • Part of subcall function 5000C0F4: @System@DynArraySetLength$qqrrpvpvipi.RTL120 ref: 5000C0F9
                                                              • @System@@DynArrayLength$qqrv.RTL120(5001B7D4), ref: 5001B5D4
                                                              • @System@@DynArraySetLength$qqrv.RTL120(00000001,5001B7D4), ref: 5001B5EF
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5001B601
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$ArraySystem@$Length$qqrvUnicode$Asg$qqrr20StringStringx20$Length$qqrrpvpvipi
                                                              • String ID: False$True
                                                              • API String ID: 1602069110-1895882422
                                                              • Opcode ID: dc1f99dea7fc06d24d915c1314f15eaf0c255ee8a481010edc47a443f1a80566
                                                              • Instruction ID: a813428639982090d4a362bd633a8cf1e7a719357de9231205594663fbfa07b6
                                                              • Opcode Fuzzy Hash: dc1f99dea7fc06d24d915c1314f15eaf0c255ee8a481010edc47a443f1a80566
                                                              • Instruction Fuzzy Hash: FBF01C7170118197F714A7E4FC52B6A33A2EBA0714F404239FA448F6A6DB6AFC818BC1
                                                              Function 5000730C Relevance: 13.6, APIs: 9, Instructions: 132threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@TMonitor@TryEnter$qqrv.RTL120 ref: 5000731C
                                                                • Part of subcall function 500076F4: GetCurrentThreadId.KERNEL32 ref: 500076F7
                                                              • GetTickCount.KERNEL32 ref: 50007343
                                                              • GetTickCount.KERNEL32 ref: 50007355
                                                              • GetCurrentThreadId.KERNEL32 ref: 50007388
                                                              • GetTickCount.KERNEL32 ref: 500073AC
                                                              • GetTickCount.KERNEL32 ref: 500073E6
                                                              • @System@TMonitor@GetEvent$qqrv.RTL120 ref: 500073F1
                                                              • GetTickCount.KERNEL32 ref: 50007410
                                                              • GetCurrentThreadId.KERNEL32 ref: 50007486
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CountTick$CurrentThread$Monitor@System@$Enter$qqrvEvent$qqrv
                                                              • String ID:
                                                              • API String ID: 1987720909-0
                                                              • Opcode ID: 20729751b9ca491032756733baeeb24b399c546541366898f273070eb1456356
                                                              • Instruction ID: cdbcf1bc501056cecbbc3dd38a171081e16c6904e9569bf655de2ffa8f35bad7
                                                              • Opcode Fuzzy Hash: 20729751b9ca491032756733baeeb24b399c546541366898f273070eb1456356
                                                              • Instruction Fuzzy Hash: 0741C830A097C15AF311EE7CD6A93AEBFD15F94240F948B1ED9DC87282DB79C8408352
                                                              Function 5002CBD8 Relevance: 13.6, APIs: 9, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002CD41), ref: 5002CC29
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002CD41), ref: 5002CC52
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002CD41), ref: 5002CCA7
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002CD41), ref: 5002CCB9
                                                              • @Sysutils@StrLComp$qqrpxbt1ui.RTL120(00000000,5002CD41), ref: 5002CCC5
                                                              • @Sysutils@TStringBuilder@_Replace$qqrix20System@UnicodeStringt2.RTL120(?,00000000,5002CD41), ref: 5002CCDA
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@Unicode$System@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Sysutils@$Builder@_Char$qqrx20Comp$qqrpxbt1uiReplace$qqrix20Stringt2
                                                              • String ID:
                                                              • API String ID: 1607367926-0
                                                              • Opcode ID: dff76c2313e9b10604c8c371fb3469098b1b02ec0f466d374c6a1fd6b8e53afd
                                                              • Instruction ID: aca0b5ef864c04f24fc7a5c9ba3459030470bcc1760272ceb3d3fd660aa6f22d
                                                              • Opcode Fuzzy Hash: dff76c2313e9b10604c8c371fb3469098b1b02ec0f466d374c6a1fd6b8e53afd
                                                              • Instruction Fuzzy Hash: 0551F874E0124ADFDF10DFA8D9819AEBBF5EF48210B6081A6E944E7315D734EE42CB90
                                                              Function 5000B174 Relevance: 13.6, APIs: 9, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@Move$qqrpxvpvi.RTL120(?,?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B1A3
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(?,?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B1F5
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B209
                                                              • @System@Move$qqrpxvpvi.RTL120(?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B2A9
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Move$qqrpxvpviSystem@@Unicode$Asg$qqrpvpxvAsg$qqrr20StringStringx20
                                                              • String ID:
                                                              • API String ID: 3030236992-0
                                                              • Opcode ID: 970a367cf088cdf98191689e9a0694ce909863f07a89907442e7d6dacbf600a3
                                                              • Instruction ID: 633908d8e5bc59ccb80292a96c5d98a609424162179242e37904b4a32d27729b
                                                              • Opcode Fuzzy Hash: 970a367cf088cdf98191689e9a0694ce909863f07a89907442e7d6dacbf600a3
                                                              • Instruction Fuzzy Hash: 1031E5713044858FE724FFA8DCB2B9AB392AF85304FE4876AD205CB357DA34D8528780
                                                              Function 5000A5A8 Relevance: 13.6, APIs: 9, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A6C6), ref: 5000A5E7
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A6C6), ref: 5000A614
                                                              • @System@@IntOver$qqrv.RTL120(?,00000000,5000A6C6), ref: 5000A651
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,00000000,5000A6C6), ref: 5000A65B
                                                              • @System@Move$qqrpxvpvi.RTL120(?,00000000,5000A6C6), ref: 5000A67E
                                                              • @System@Move$qqrpxvpvi.RTL120(?,00000000,5000A6C6), ref: 5000A695
                                                              • @System@Move$qqrpxvpvi.RTL120(?,00000000,5000A6C6), ref: 5000A6AB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$Unicode$AnsiFromMove$qqrpxvpviStr$qqrr20StringStringx27System@%T$us$i0$%$Internal$Length$qqrr20Over$qqrvStringi
                                                              • String ID:
                                                              • API String ID: 1011950963-0
                                                              • Opcode ID: e4b13b3abff3123872844c1e8fe38d4b4ae3526ff4051b82554457186b164d06
                                                              • Instruction ID: 9ab0ed15de96328d0360d8f2b957ce8da5d90d071b8904a8a405cde8eb91594d
                                                              • Opcode Fuzzy Hash: e4b13b3abff3123872844c1e8fe38d4b4ae3526ff4051b82554457186b164d06
                                                              • Instruction Fuzzy Hash: 7A418D30A015A9DFEF10DFA8D8A099DB7F5EF46304B9542A6D500D7315DB31EE45CB80
                                                              Function 5001ACD4 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001ADED), ref: 5001ACFD
                                                              • @Sysutils@AnsiExtractQuotedStr$qqrrpbb.RTL120(00000000,5001ADED), ref: 5001AD0C
                                                                • Part of subcall function 5001AB98: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,?,?,5001AD11,00000000,5001ADED), ref: 5001ABA9
                                                                • Part of subcall function 5001AB98: @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001ABD0
                                                                • Part of subcall function 5001AB98: @Sysutils@StrEnd$qqrpxb.RTL120 ref: 5001ABFE
                                                                • Part of subcall function 5001AB98: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001AC30
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001AD37
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001AD6E
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001AD94
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001ADB3
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001ADED), ref: 5001ADD2
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$Ansi$From$InternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@$Asg$qqrr20Stringx20$CharChar$qqrx20End$qqrpxbExtractLen$qqrr20QuotedScan$qqrpbbStr$qqrrpbbStringpbi
                                                              • String ID:
                                                              • API String ID: 4150118406-0
                                                              • Opcode ID: 7b8b3bd956a24fb37043db0de1cd875b4586c0c9a660db8d41d02f380f970555
                                                              • Instruction ID: 878662552be2a9cceb873cca4a38ac5847e1d6f413897114a0aea2408ea04795
                                                              • Opcode Fuzzy Hash: 7b8b3bd956a24fb37043db0de1cd875b4586c0c9a660db8d41d02f380f970555
                                                              • Instruction Fuzzy Hash: FB31C530A00699DFDF12DFA8ED425ADB3F5EF46200BA042A2E502D7A55EB30DF81D744
                                                              Function 50011C94 Relevance: 13.6, APIs: 9, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011D9A), ref: 50011CBB
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011D9A), ref: 50011CC6
                                                                • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011D9A), ref: 50011CE3
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011D9A), ref: 50011D1B
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50011D9A), ref: 50011D4C
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50011D9A), ref: 50011D51
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011D9A), ref: 50011D6E
                                                              • @Character@TCharacter@IsHighSurrogate$qqrb.RTL120(00000000,50011D9A), ref: 50011D78
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20Character@Stringx20$Except$qqrvException@$bctr$qqrp20FreeHighMem$qqrpvRaiseRecpx14RecxiSurrogate$qqrbSysutils@
                                                              • String ID:
                                                              • API String ID: 548731262-0
                                                              • Opcode ID: 4d4eef9b03f393715acc3e42fdb6e366bf52ca2bdebe8caac90d3fc4a567f435
                                                              • Instruction ID: 700245c2fe1d1fdb6a485c05ca2023c3c128d6a71b5f8303525b4329a6adc132
                                                              • Opcode Fuzzy Hash: 4d4eef9b03f393715acc3e42fdb6e366bf52ca2bdebe8caac90d3fc4a567f435
                                                              • Instruction Fuzzy Hash: BC318F30A00299ABDF15DFA4EC919EEB7FAEF44300F5442A6E940E7251E770DE82C791
                                                              Function 50011278 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001137A), ref: 500112A6
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001137A), ref: 500112C3
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001137A), ref: 500112FB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5001137A), ref: 5001132C
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5001137A), ref: 50011331
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001137A), ref: 5001134E
                                                              • @Character@TCharacter@IsSurrogate$qqrb.RTL120(00000000,5001137A), ref: 50011358
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20RaiseRecpx14RecxiStringx20Surrogate$qqrbSysutils@
                                                              • String ID:
                                                              • API String ID: 2718466752-0
                                                              • Opcode ID: bad0fc59ee02269015429073d0d42a0ebfc6cb78c8723bc27d63799decc90d51
                                                              • Instruction ID: 810eb6f4f35f56be61290b59cfeeda25cb95dca07b352be7eb4c63e5f55842af
                                                              • Opcode Fuzzy Hash: bad0fc59ee02269015429073d0d42a0ebfc6cb78c8723bc27d63799decc90d51
                                                              • Instruction Fuzzy Hash: FC315830A042899BDF15DFA4EC81AEEB7F9EF44200F5442A6E940E7655E7709E81C790
                                                              Function 50010940 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010A42), ref: 5001096E
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010A42), ref: 5001098B
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010A42), ref: 500109C3
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50010A42), ref: 500109F4
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50010A42), ref: 500109F9
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010A42), ref: 50010A16
                                                              • @Character@TCharacter@IsHighSurrogate$qqrb.RTL120(00000000,50010A42), ref: 50010A20
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20HighRaiseRecpx14RecxiStringx20Surrogate$qqrbSysutils@
                                                              • String ID:
                                                              • API String ID: 4039923113-0
                                                              • Opcode ID: 43317869d6c1f8e73e51e660adce439b81015dec9d7cb8a377cee6d1af779c79
                                                              • Instruction ID: 0537749609d4c2c7f5846f453ae597f4d5af8c2bbe5069fb687463282a70f4ee
                                                              • Opcode Fuzzy Hash: 43317869d6c1f8e73e51e660adce439b81015dec9d7cb8a377cee6d1af779c79
                                                              • Instruction Fuzzy Hash: 63316F30A002999FEF11DFA8DC915AEB7F5EF44304F9046A6E980E7252E7B09E81C791
                                                              Function 5000FB90 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000FC92), ref: 5000FBBE
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FC92), ref: 5000FBDB
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FC92), ref: 5000FC13
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5000FC92), ref: 5000FC44
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5000FC92), ref: 5000FC49
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FC92), ref: 5000FC66
                                                              • @Character@TCharacter@IsLetter$qqrb.RTL120(00000000,5000FC92), ref: 5000FC70
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20Letter$qqrbRaiseRecpx14RecxiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 116701318-0
                                                              • Opcode ID: 0ab13f2dd6dd5c675b01cb9593c8161319786f04545f7858dcf4f9daa7e03c78
                                                              • Instruction ID: 0cff3b4b0113612aababc7cf32eb9127b6015ad67c45bd92dacf89e969f5d904
                                                              • Opcode Fuzzy Hash: 0ab13f2dd6dd5c675b01cb9593c8161319786f04545f7858dcf4f9daa7e03c78
                                                              • Instruction Fuzzy Hash: 66316E30A042899BFB11DFA4D9A39BDB7F5EF44300F9042A6E900D7651E7709F45DB90
                                                              Function 50010C34 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010D36), ref: 50010C62
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010D36), ref: 50010C7F
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010D36), ref: 50010CB7
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50010D36), ref: 50010CE8
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50010D36), ref: 50010CED
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010D36), ref: 50010D0A
                                                              • @Character@TCharacter@IsLowSurrogate$qqrb.RTL120(00000000,50010D36), ref: 50010D14
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20RaiseRecpx14RecxiStringx20Surrogate$qqrbSysutils@
                                                              • String ID:
                                                              • API String ID: 2718466752-0
                                                              • Opcode ID: d3472ce51e1e4d7c43096c6d1dc8011218f4b6f0d31894a17688fc7172dd10f5
                                                              • Instruction ID: b90fdfa914548ce8d05a9719d69e5cbf12a9b698905def4a3bb0f427dd695afc
                                                              • Opcode Fuzzy Hash: d3472ce51e1e4d7c43096c6d1dc8011218f4b6f0d31894a17688fc7172dd10f5
                                                              • Instruction Fuzzy Hash: 32316130A00289ABDF11DFA4EC916AEB7F5EF54300F5046A6E980D7255E7B0DE81CBD5
                                                              Function 50016B4C Relevance: 13.6, APIs: 9, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@IntToStr$qqri.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016B7D
                                                                • Part of subcall function 5001B1C8: @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120 ref: 5001B1DB
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016B89
                                                                • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                              • @Sysutils@IntToStr$qqri.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BAE
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BBA
                                                                • Part of subcall function 5000A1E4: @System@@NewUnicodeString$qqri.RTL120 ref: 5000A227
                                                                • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A23B
                                                                • Part of subcall function 5000A1E4: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A253
                                                                • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A263
                                                                • Part of subcall function 5000A1E4: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A279
                                                                • Part of subcall function 5000A1E4: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A287
                                                                • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A297
                                                              • @Sysutils@IntToStr$qqri.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BDF
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BEB
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016C06
                                                                • Part of subcall function 50009EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 50009EC4
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016C12
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$Stringx20$Asg$qqrr20Cat3$qqrr20StringStringt2$FromStr$qqriSysutils@$CharLen$qqrr20Move$qqrpxvpvi$Char$qqrr20Clr$qqrpvString$qqriStringbStringpbiStringpci
                                                              • String ID:
                                                              • API String ID: 2917779735-0
                                                              • Opcode ID: 0163770234b153fc603f73859ed527ed7eb92f76623291e36795d766039d6016
                                                              • Instruction ID: 76f8e76b563a54bc19a49a39c681c756d7ccbd9bc0e3cb43033c5cd06b9a2793
                                                              • Opcode Fuzzy Hash: 0163770234b153fc603f73859ed527ed7eb92f76623291e36795d766039d6016
                                                              • Instruction Fuzzy Hash: 2A2192707051545BE708CA9DDC659AAB3EBEFE9300F94C62BB549C3344DEB8AD118690
                                                              Function 5002D62C Relevance: 13.6, APIs: 9, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002D71E), ref: 5002D679
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002D71E), ref: 5002D674
                                                                • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002D71E), ref: 5002D69C
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002D71E), ref: 5002D6A1
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002D71E), ref: 5002D6BE
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002D71E), ref: 5002D6ED
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002D71E), ref: 5002D6F2
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$String$RaiseRecxiSysutils@Unicode$Except$qqrvException@$bctr$qqrp20Recpx14$AnsiAsg$qqrr20ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20FromInternalList$qqrvLoadMetaStr$qqrr20String$qqrp20Stringpx14Stringx20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 211832472-0
                                                              • Opcode ID: d82c6879fd7e8bb308ec514bab1eca5c326ff1012e43fe8cdcdfe95a8be795b9
                                                              • Instruction ID: baf3d6f3658cd3b0b0bf9b1fe87a80f42db4b7494a16350bdacbce027700de45
                                                              • Opcode Fuzzy Hash: d82c6879fd7e8bb308ec514bab1eca5c326ff1012e43fe8cdcdfe95a8be795b9
                                                              • Instruction Fuzzy Hash: 3E319530A05589AFEB10DFE8E995A9DB7F8EF54304F5081A7E904D7261DB709E05CB90
                                                              Function 5001C198 Relevance: 13.6, APIs: 9, Instructions: 77fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(80000000,00000001,00000000,00000003,00000080,00000000), ref: 5001C1B9
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5001C1BF
                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5001C1D5
                                                              • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 5001C1E9
                                                              • ImageDirectoryEntryToData.IMAGEHLP(?,00000000,0000000E,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000), ref: 5001C212
                                                              • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,80000000), ref: 5001C21B
                                                              • UnmapViewOfFile.KERNEL32(?,5001C25C,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 5001C23D
                                                              • CloseHandle.KERNEL32(?,?,5001C25C,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000), ref: 5001C246
                                                              • CloseHandle.KERNEL32(00000000,?,?,5001C25C,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002), ref: 5001C24F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleSystem@@View$Char$qqrx20DataDirectoryEntryExit$qqrvFinallyImageMappingStringSystem@UnicodeUnmap
                                                              • String ID:
                                                              • API String ID: 2267264102-0
                                                              • Opcode ID: 57813ce33fd1e787f2ae7afc3594a276316039dc248eaabb460c0ce63afaddb7
                                                              • Instruction ID: ed93af7bb64c484572da9e927bec8c4042e6e931a3020e493e924e2f8d9bdac0
                                                              • Opcode Fuzzy Hash: 57813ce33fd1e787f2ae7afc3594a276316039dc248eaabb460c0ce63afaddb7
                                                              • Instruction Fuzzy Hash: C321A1B0A443C47BFB10CAE4AC56FAEB7BCAB18700F500655F704FB1C1D6B5A9408795
                                                              Function 5002DB48 Relevance: 13.6, APIs: 9, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,00000000,?), ref: 5002DB70
                                                                • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                              • @System@@RaiseExcept$qqrv.RTL120(?,00000000,?), ref: 5002DB75
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?), ref: 5002DB98
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?), ref: 5002DB9D
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?), ref: 5002DBC0
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?), ref: 5002DBC5
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,00000000,?), ref: 5002DBCC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?), ref: 5002DBF1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?), ref: 5002DBF6
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$RaiseString$Except$qqrvException@$bctr$qqrp20Sysutils@$Recpx14Recxi$AfterArrayClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucLength$qqrvList$qqrvLoadMetaObjectString$qqrp20
                                                              • String ID:
                                                              • API String ID: 434768823-0
                                                              • Opcode ID: 70035ba3cdc4d1b591e6ff713689efda533d35203e273b787accabacad4fdffb
                                                              • Instruction ID: 10693105d4530467d70705bbd3336f9fa5ff1ffcd69f97b7e410178babc29af3
                                                              • Opcode Fuzzy Hash: 70035ba3cdc4d1b591e6ff713689efda533d35203e273b787accabacad4fdffb
                                                              • Instruction Fuzzy Hash: 8E219531E06685ABEB10DFD9FCD1BADB7B8AB54304F50816AF90497352CB715D058BA0
                                                              Function 500119D8 Relevance: 13.6, APIs: 9, Instructions: 67threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011A8B), ref: 50011A03
                                                              • GetThreadLocale.KERNEL32(00000000,50011A8B), ref: 50011A08
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011A8B), ref: 50011A27
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50011A8B), ref: 50011A51
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,50011A8B), ref: 50011A5B
                                                              • LCMapStringW.KERNEL32(00000000,00000100,00000000,?,00000000,?,00000000,50011A8B), ref: 50011A67
                                                              • @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,00000100,00000000,?,00000000,?,00000000,50011A8B), ref: 50011A70
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@Unicode$System@@$AnsiChar$qqrx20FromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Error$qqrvInternalLastLocaleRaiseStringx20Sysutils@Thread
                                                              • String ID:
                                                              • API String ID: 3094671988-0
                                                              • Opcode ID: 61edf3dfb67e96cd3ce6b600e90b04d6ddfba1988f50e1faa7fba45ec40b8dee
                                                              • Instruction ID: 64e016724a4648d9eccdf5b5c7b5b498823f636818398dbbc543729642361fab
                                                              • Opcode Fuzzy Hash: 61edf3dfb67e96cd3ce6b600e90b04d6ddfba1988f50e1faa7fba45ec40b8dee
                                                              • Instruction Fuzzy Hash: 01118770A01285AFEF05DFF9DC9199EBBF8EF49210B9446A6F940E3311D730AE40DA91
                                                              Function 50011AAC Relevance: 13.6, APIs: 9, Instructions: 67threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011B5F), ref: 50011AD7
                                                              • GetThreadLocale.KERNEL32(00000000,50011B5F), ref: 50011ADC
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011B5F), ref: 50011AFB
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50011B5F), ref: 50011B25
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,50011B5F), ref: 50011B2F
                                                              • LCMapStringW.KERNEL32(00000000,00000200,00000000,?,00000000,?,00000000,50011B5F), ref: 50011B3B
                                                              • @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,00000200,00000000,?,00000000,?,00000000,50011B5F), ref: 50011B44
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@Unicode$System@@$AnsiChar$qqrx20FromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Error$qqrvInternalLastLocaleRaiseStringx20Sysutils@Thread
                                                              • String ID:
                                                              • API String ID: 3094671988-0
                                                              • Opcode ID: bb35b1ec3dee52f85de0abe14dd36a5b07772a894f879ccd0841f78612b6cb55
                                                              • Instruction ID: aa116bdb757719b18d0b9449cf26451f3ca687c3b180189956f3d9f0d1195bcc
                                                              • Opcode Fuzzy Hash: bb35b1ec3dee52f85de0abe14dd36a5b07772a894f879ccd0841f78612b6cb55
                                                              • Instruction Fuzzy Hash: 64118470A05285AFEF04DFA9DDD299EB7F8EF59210B5442A6F900E3311E730AE40DA91
                                                              Function 5002F388 Relevance: 13.6, APIs: 9, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3B8
                                                              • @Varutils@ESafeArrayError@$bctr$qqrlx20System@UnicodeString.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3CA
                                                              • @System@@RaiseExcept$qqrv.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3CF
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3DE
                                                              • @Varutils@ESafeArrayError@$bctr$qqrlx20System@UnicodeString.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3F0
                                                              • @System@@RaiseExcept$qqrv.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3F5
                                                              • @Varutils@ESafeArrayError@$bctr$qqrlx20System@UnicodeString.RTL120(00000000,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F407
                                                                • Part of subcall function 5002F438: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002F450
                                                                • Part of subcall function 5002F438: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F46F
                                                                • Part of subcall function 5002F438: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002F4C9), ref: 5002F486
                                                                • Part of subcall function 5002F438: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002F4C9), ref: 5002F49A
                                                                • Part of subcall function 5002F438: @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F4A6
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F40C
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$String$Unicode$System@@$Raise$ArrayError@$bctr$qqrlx20Except$qqrvLoadSafeString$qqrp20Varutils@$Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Error$qqrucException@$bctr$qqrx20Format$qqrx20List$qqrvMetaRecxiStringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 2318074137-0
                                                              • Opcode ID: 2fc197e72b512a73204bf5c851bd90a70b0a5406eff194070ecd408d08181925
                                                              • Instruction ID: bc5804b8ea2ea52ee02b52fff60dedcdbde60d4b00371caa1661321ee3d8b552
                                                              • Opcode Fuzzy Hash: 2fc197e72b512a73204bf5c851bd90a70b0a5406eff194070ecd408d08181925
                                                              • Instruction Fuzzy Hash: F81108316021C25BE720EFA8FCA3A7FB3E9EB58240FA00276F504C3252C6B16D018761
                                                              Function 5000D428 Relevance: 13.6, APIs: 9, Instructions: 55stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D446
                                                              • lstrlenA.KERNEL32(?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D455
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D461
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D46A
                                                              • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D474
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D485
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D491
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D49B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$Asg$qqrr20Stringx20$Length$qqrr20Stringi$Char$qqrx20Unicode$qqrpbuipcuiUtf8lstrlen
                                                              • String ID:
                                                              • API String ID: 1537582155-0
                                                              • Opcode ID: 6c4ef39c03e1d23b9309869b8de45e6fcba1332ee3670c4631afad92b9265e4a
                                                              • Instruction ID: 1243ab6cbdefdf8345f412232093dd449079060f735b143d8bc3f4c3f6575941
                                                              • Opcode Fuzzy Hash: 6c4ef39c03e1d23b9309869b8de45e6fcba1332ee3670c4631afad92b9265e4a
                                                              • Instruction Fuzzy Hash: E101F534601A84ABFB11DBA5D8B299EB3E9DFA4210FE58773B50097212DB74EE01D1E4
                                                              Function 50008224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: T@P
                                                              • API String ID: 0-2218095447
                                                              • Opcode ID: 2735e6c39fcff9f4b0946c2650835f74bb3b70cbc3805efadd1a251d44f47135
                                                              • Instruction ID: 27dc2a38aba9eb27cd1e85926dff11305057f2316d7a6dc2ed62153db4641c43
                                                              • Opcode Fuzzy Hash: 2735e6c39fcff9f4b0946c2650835f74bb3b70cbc3805efadd1a251d44f47135
                                                              • Instruction Fuzzy Hash: ED51B934900B80CFF724CFA8EC64B867BE0BB45320F81472EE98587262DB759884CB65
                                                              Function 500085B4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@AcquireExceptionObject$qqrv.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000860A
                                                              • @System@TObject@Free$qqrv.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 50008617
                                                              • @System@AcquireExceptionObject$qqrv.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000861C
                                                              • @System@UnregisterModule$qqrp17System@TLibModule.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 50008644
                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000865C
                                                              • ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 50008694
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$AcquireExceptionObject$qqrv$ExitFreeFree$qqrvLibraryModuleModule$qqrp17Object@ProcessUnregister
                                                              • String ID: T@P
                                                              • API String ID: 3627422618-2218095447
                                                              • Opcode ID: f0d280432ca972ea6fe1c2b580152eead50abd2acda08fe9b4d21eab7651e6ea
                                                              • Instruction ID: 4a4c4bef56c973cbd5feeae4d951ec7c4dcbae2887cfb847883f1a9252908ba7
                                                              • Opcode Fuzzy Hash: f0d280432ca972ea6fe1c2b580152eead50abd2acda08fe9b4d21eab7651e6ea
                                                              • Instruction Fuzzy Hash: 5721AD70901BC18FF7209BB498A4B86B6E47B54324F860B2EEAC583252DBB5DC84CB55
                                                              Function 5001C924 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(00000000,5001C9B7), ref: 5001C94D
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                • Part of subcall function 5001C3F4: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                                • Part of subcall function 5001C3F4: @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C9B7), ref: 5001C970
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C9B7), ref: 5001C991
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001C9B7), ref: 5001C99C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Sysutils@$Asg$qqrr20Char$qqrx20Copy$qqrx20Delimiter$qqrx20LastScan$qqrpxbbStringiiStringt1Stringx20
                                                              • String ID: .\:
                                                              • API String ID: 1552234271-496007442
                                                              • Opcode ID: 3dc59a3a4042f2af38c8c9ff90ffa329698c3951d405d49f161df8a05a6a6c33
                                                              • Instruction ID: 4b29117d5e5b6616636b4a21a03f3e77820cdaa5a79e53c5ecbb7995722f26fe
                                                              • Opcode Fuzzy Hash: 3dc59a3a4042f2af38c8c9ff90ffa329698c3951d405d49f161df8a05a6a6c33
                                                              • Instruction Fuzzy Hash: 6001D630A112C8EB9B11DFB9DD56CAEB3F9EF9632076043B6F400D3251DA70DE419691
                                                              Function 50010D48 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 50010D4D
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50010D5F
                                                                • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                              • @Character@TCharacter@CheckNumber$qqr26Character@TUnicodeCategory.RTL120 ref: 50010D98
                                                              • @Character@TCharacter@IsAscii$qqrb.RTL120 ref: 50010DA1
                                                              • @Character@TCharacter@CheckNumber$qqr26Character@TUnicodeCategory.RTL120 ref: 50010DB4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$CategoryCheckNumber$qqr26Unicode$Ascii$qqrbFindInitialize$qqrvLatin1$qqrbLoadLock
                                                              • String ID: 0$9
                                                              • API String ID: 940830643-1975997740
                                                              • Opcode ID: f1847998efdb39b59314800ab2b7d4b6bfe1a4e47e37d1145b2ddf5edbe504e7
                                                              • Instruction ID: ca158e9595d5b8df393e14bdbef67b9979e5ff35cdaa91c6b3d555daa54abe26
                                                              • Opcode Fuzzy Hash: f1847998efdb39b59314800ab2b7d4b6bfe1a4e47e37d1145b2ddf5edbe504e7
                                                              • Instruction Fuzzy Hash: 8701D650B165904AE72467B0BC612B933D26791302B88027FF497CB6D3CA7995D5E760
                                                              Function 5000D840 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@Close$qqrr15System@TTextRec.RTL120(00000000,5000D89E), ref: 5000D85E
                                                                • Part of subcall function 50004E58: @System@SetInOutRes$qqri.RTL120(0000D7B1,?,50004A02,?,?,50004A3D), ref: 50004E90
                                                              • @System@@Close$qqrr15System@TTextRec.RTL120(00000000,5000D89E), ref: 5000D868
                                                                • Part of subcall function 50004E58: @System@SetInOutRes$qqri.RTL120(0000D7B1,?,50004A02,?,?,50004A3D), ref: 50004EA4
                                                              • @System@@Close$qqrr15System@TTextRec.RTL120(00000000,5000D89E), ref: 5000D872
                                                                • Part of subcall function 50003F0C: CloseHandle.KERNEL32(?,5000D87C,00000000,5000D89E), ref: 50003F1B
                                                                • Part of subcall function 50003F0C: VirtualFree.KERNEL32(?,00000000,00008000,5000D87C,00000000,5000D89E), ref: 50003F4B
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000,5000D89E), ref: 5000D881
                                                                • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000,5000D89E), ref: 5000D88B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$Close$qqrr15Text$Clr$qqrpvFreeRes$qqri$CloseHandleMem$qqrpvVirtual
                                                              • String ID: 0CP$`@P
                                                              • API String ID: 1074734335-699206834
                                                              • Opcode ID: 5dd963d20aa9d17184e9b04b3596eb2fb7a121d5b3ae81a9c3fb34c116752437
                                                              • Instruction ID: 65ae3e41759c052dc381d089f7c5f52dc025f958349b81aa71df701aec3d44ee
                                                              • Opcode Fuzzy Hash: 5dd963d20aa9d17184e9b04b3596eb2fb7a121d5b3ae81a9c3fb34c116752437
                                                              • Instruction Fuzzy Hash: 98E092795099C84B77867BE8783242D7698FFD6D143D24B63FD4486602CE38882157B7
                                                              Function 50002918 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,?), ref: 500029AE
                                                              • Sleep.KERNEL32(0000000A,00000000,?), ref: 500029C8
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 7c45e2e85974a259c0a9710e2743f4c14eb2d2fa6527f7773eb08439326dd73a
                                                              • Instruction ID: e297e28b8d4201adb38443583ce835d2b097a86928e3fdd3a1d09e16793e4692
                                                              • Opcode Fuzzy Hash: 7c45e2e85974a259c0a9710e2743f4c14eb2d2fa6527f7773eb08439326dd73a
                                                              • Instruction Fuzzy Hash: 5671F7316456808FF325CF68DD94B8ABBD0AF95314F94836EE9488B3D2D7B0E845C792
                                                              Function 5001B690 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B78E), ref: 5001B6D2
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B78E), ref: 5001B6E0
                                                                • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001B78E), ref: 5001B6FD
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001B78E), ref: 5001B725
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001B78E), ref: 5001B739
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001B78E), ref: 5001B743
                                                              • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,5001B78E), ref: 5001B750
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Char$qqrx20InternalStringx20$CompareFreeMem$qqrpv
                                                              • String ID:
                                                              • API String ID: 2845561448-0
                                                              • Opcode ID: bf0cfcdcd351cc12fb7600fa998fc1f6185d974cd3725ac41fa1c8af8d435e51
                                                              • Instruction ID: 13f022dda2a44bd9837e8a7c0187e17156b0a537b5c6812678d5b7095c279c4f
                                                              • Opcode Fuzzy Hash: bf0cfcdcd351cc12fb7600fa998fc1f6185d974cd3725ac41fa1c8af8d435e51
                                                              • Instruction Fuzzy Hash: 0231A731A042899FDF01EFA4DD5299EFBF5EFD4310F1042A6E940A3295E7709E81C690
                                                              Function 50016998 Relevance: 12.1, APIs: 8, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500169BA
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500169FB
                                                                • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                              • @Sysutils@IntToStr$qqri.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500169EF
                                                                • Part of subcall function 5001B1C8: @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120 ref: 5001B1DB
                                                              • @Sysutils@IntToStr$qqri.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A27
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A33
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A4A
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A56
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$Stringx20$Cat3$qqrr20Stringt2$Asg$qqrr20FromStr$qqriStringSysutils@$CharChar$qqrr20Len$qqrr20StringbStringpci
                                                              • String ID:
                                                              • API String ID: 2719714811-0
                                                              • Opcode ID: abe00f2d5019f9ca9630ead1b1a181555649122de7a3af72321aa8d936361c12
                                                              • Instruction ID: ea3395305638f272936f2b0549da07458c661ac4152f8a557e01a894cc4a250d
                                                              • Opcode Fuzzy Hash: abe00f2d5019f9ca9630ead1b1a181555649122de7a3af72321aa8d936361c12
                                                              • Instruction Fuzzy Hash: 0B21B0747022449BE708CE99DCA16AEB3E7EBCD300FA0863FF505D7341E675AD018694
                                                              Function 5002B8AC Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B8E6
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @Sysutils@TStringBuilder@set_Length$qqri.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B8FB
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B918
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B940
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B953
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B967
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@$System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Builder@set_Char$qqrx20Length$qqriMove$qqrpxvpviSysutils@
                                                              • String ID:
                                                              • API String ID: 509217649-0
                                                              • Opcode ID: 57109080cef9c16d1e5caa8776740e072df40173a5d0d8d2589dbaaf05c1b2f2
                                                              • Instruction ID: 4776b8aa2b7f85fb9c844d62bdb1f3a0b78aa5720451edc0d99c7a6c12b062e9
                                                              • Opcode Fuzzy Hash: 57109080cef9c16d1e5caa8776740e072df40173a5d0d8d2589dbaaf05c1b2f2
                                                              • Instruction Fuzzy Hash: AD218330B02186DF9F11EF78E95186DB3F9EF8430076142A6E64497215EB30EF41D780
                                                              Function 5000A1E4 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                                • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                              • @System@@NewUnicodeString$qqri.RTL120 ref: 5000A227
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A23B
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A253
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A263
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A279
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A287
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A297
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$Asg$qqrr20StringStringx20$Move$qqrpxvpvi$String$qqri$Clr$qqrpvFreeMem$qqrpv
                                                              • String ID:
                                                              • API String ID: 628645394-0
                                                              • Opcode ID: 43e4a635c658f9d3ccd16e17d2eed1da22889dcf8d4b35ef7c0074040d58dafa
                                                              • Instruction ID: a5e17d5f5a6bf6054f8e727ea2d10013107e8b22956fef989289cb67f68bf60a
                                                              • Opcode Fuzzy Hash: 43e4a635c658f9d3ccd16e17d2eed1da22889dcf8d4b35ef7c0074040d58dafa
                                                              • Instruction Fuzzy Hash: 3021B7307065A04BFB14AB5DD4B2A2EF3E69FD5100BE4872BA644CB306DA75CC41C392
                                                              Function 50028754 Relevance: 12.1, APIs: 8, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 5002879B
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 500287C3
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287D7
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50028822), ref: 500287E0
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287F6
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@System@@Unicode$AnsiChar$qqrx20FromStr$qqrr20Stringx27System@%T$us$i0$%$Internal
                                                              • String ID:
                                                              • API String ID: 1771006815-0
                                                              • Opcode ID: 776671bc0eec5f129ae3a97f8df4fb0cf3bb1fa82ad82360c3030aec5ea0138b
                                                              • Instruction ID: dc23fba009a07f5ee1e34ee886edddc6a55f2f6ed9e61d9879787caccd6cdf4c
                                                              • Opcode Fuzzy Hash: 776671bc0eec5f129ae3a97f8df4fb0cf3bb1fa82ad82360c3030aec5ea0138b
                                                              • Instruction Fuzzy Hash: 7E219835A022969FDF01DFB8EC9195EB7F9EF54200FA14676E504A3255EB70EE41C780
                                                              Function 50008CB0 Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120 ref: 50008CCE
                                                                • Part of subcall function 500087FC: @System@@NewAnsiString$qqrius.RTL120(?,?,500056AE,00000000), ref: 50008821
                                                                • Part of subcall function 500087FC: @System@Move$qqrpxvpvi.RTL120(00000000,?,500056AE,00000000), ref: 5000882D
                                                                • Part of subcall function 500087FC: @System@@FreeMem$qqrpv.RTL120(500056AE,00000000), ref: 5000884F
                                                              • @System@@NewAnsiString$qqrius.RTL120 ref: 50008CF2
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(00000000), ref: 50008D06
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 50008D1C
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(00000000), ref: 50008D2C
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 50008D3E
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 50008D4C
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120 ref: 50008D5C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$Asg$qqrpvpxv$Move$qqrpxvpviSystem@$AnsiString$qqrius$Clr$qqrpvFreeMem$qqrpv
                                                              • String ID:
                                                              • API String ID: 2313995952-0
                                                              • Opcode ID: 936d8e47756e1243cb644d74a7489a6b21377997ac42361d4549fc5c609b8712
                                                              • Instruction ID: 904c7c465a019645a902773b85c2849f7ea8bb55d576d4d16d3aa3ff9e88d0e0
                                                              • Opcode Fuzzy Hash: 936d8e47756e1243cb644d74a7489a6b21377997ac42361d4549fc5c609b8712
                                                              • Instruction Fuzzy Hash: 2B2165247051908BB754E71DD47192DF3F6BFE42407E4872BA6C4C7269DAB0DC818795
                                                              Function 50015614 Relevance: 12.1, APIs: 8, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500156E2), ref: 50015657
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500156E2), ref: 5001567F
                                                              • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,500156E2), ref: 5001569F
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500156E2), ref: 500156AB
                                                              • @Sysutils@AnsiStrIComp$qqrpbt1.RTL120(00000000,500156E2), ref: 500156B7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$AnsiStringSystem@@$FromStr$qqrr20Stringx27System@%T$us$i0$%$InternalSysutils@$ByteChar$qqrx20Comp$qqrpbt1StringiType$qqrx20
                                                              • String ID:
                                                              • API String ID: 1446078087-0
                                                              • Opcode ID: c5b83aefb23b3358bd06b18d679ca1007ac45f940c9c0406256258f96d7ac833
                                                              • Instruction ID: beebbf29126e9d6e6507f71e1fa188fd936efd99e5be5d72eda28bad75657d21
                                                              • Opcode Fuzzy Hash: c5b83aefb23b3358bd06b18d679ca1007ac45f940c9c0406256258f96d7ac833
                                                              • Instruction Fuzzy Hash: 10215C30A0138ADFEF01DEB8DD9299DB7F5EF54201F904675A5409B265EB70DE85CA80
                                                              Function 500158D8 Relevance: 12.1, APIs: 8, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500159A6), ref: 5001591B
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500159A6), ref: 50015943
                                                              • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,500159A6), ref: 50015963
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500159A6), ref: 5001596F
                                                              • @Sysutils@AnsiStrComp$qqrpbt1.RTL120(00000000,500159A6), ref: 5001597B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$AnsiStringSystem@@$FromStr$qqrr20Stringx27System@%T$us$i0$%$InternalSysutils@$ByteChar$qqrx20Comp$qqrpbt1StringiType$qqrx20
                                                              • String ID:
                                                              • API String ID: 1446078087-0
                                                              • Opcode ID: 967e1a292ced734fea3fda5a5ef9006a9914c61bdb3ab0efd8a449f196f86bfa
                                                              • Instruction ID: 972cb8add0711401713003887be376873cbf6b1675d33c83f3af55f82446fe10
                                                              • Opcode Fuzzy Hash: 967e1a292ced734fea3fda5a5ef9006a9914c61bdb3ab0efd8a449f196f86bfa
                                                              • Instruction Fuzzy Hash: 87219D30A0028ADFDF01DFB9DD8169DB7F5EF45211F504276E6009B255EB30DE82D642
                                                              Function 50015534 Relevance: 12.1, APIs: 8, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500155FB), ref: 50015563
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500155FB), ref: 50015582
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500155FB), ref: 500155AA
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,500155FB), ref: 500155C4
                                                              • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,500155FB), ref: 500155D3
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: String$System@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Internal$Compare
                                                              • String ID:
                                                              • API String ID: 1952152088-0
                                                              • Opcode ID: 49bd338da330a834a7d5b6809eacd117c69c76319b46f620415589b967403da5
                                                              • Instruction ID: 8a79f3fe02d8f7039cd64eb97ab1fc8fe1bf3bea09e212b9e8f8072deb91f6bc
                                                              • Opcode Fuzzy Hash: 49bd338da330a834a7d5b6809eacd117c69c76319b46f620415589b967403da5
                                                              • Instruction Fuzzy Hash: 45216F70610685EFEB11DEB8DDA299EB7FAEF44240F904662E600EB291E770DE81D650
                                                              Function 5001A0A8 Relevance: 12.1, APIs: 8, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A0C8
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A0D2
                                                                • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A0EF
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A117
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A12B
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A135
                                                              • CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?,00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?), ref: 5001A142
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Char$qqrx20InternalStringx20$CompareFreeMem$qqrpv
                                                              • String ID:
                                                              • API String ID: 2845561448-0
                                                              • Opcode ID: a637fd93928d4bcc59d4fbf31d7dd1fda35c7064787cfb8b0e7d3fb8d7a31359
                                                              • Instruction ID: 557e5c510faaf08c59fda0598d3fc89e05443d392f4ccd520a77b62b8c30d619
                                                              • Opcode Fuzzy Hash: a637fd93928d4bcc59d4fbf31d7dd1fda35c7064787cfb8b0e7d3fb8d7a31359
                                                              • Instruction Fuzzy Hash: 2F219331B003A5ABEF11DAB4DC52A5AB7F8EF49200F514272EA00E7246E770EE85C690
                                                              Function 5001A248 Relevance: 12.1, APIs: 8, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A268
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A272
                                                                • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A28F
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2B7
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2CB
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2D5
                                                              • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2E2
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Char$qqrx20InternalStringx20$CompareFreeMem$qqrpv
                                                              • String ID:
                                                              • API String ID: 2845561448-0
                                                              • Opcode ID: e7b34f49780f89b28d14b2ecf1d82b6ca6848bd6e1332e36c68cebb614f42406
                                                              • Instruction ID: 839b017c909a13abe63715c34b3dec019e8b2fcbb166aed1b6d102ad71667342
                                                              • Opcode Fuzzy Hash: e7b34f49780f89b28d14b2ecf1d82b6ca6848bd6e1332e36c68cebb614f42406
                                                              • Instruction Fuzzy Hash: 7B219331A003A5ABEF01DAB8DD91A5AB7F8EF49600F514272FA00E7245E670DE85C690
                                                              Function 5001A17C Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A238), ref: 5001A1C0
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A238), ref: 5001A1E8
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A238), ref: 5001A1FC
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A238), ref: 5001A206
                                                              • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,5001A238), ref: 5001A213
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: String$System@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Internal$Compare
                                                              • String ID:
                                                              • API String ID: 1952152088-0
                                                              • Opcode ID: 60bac2dbcf486b484fd8edb7a338e1cfbf0ddd4389093eb7d5b855bee5dfed36
                                                              • Instruction ID: 7aa712e8d9422046bf6ebc41a1e60e2c3364a706724e098922e2a107fb2dba3f
                                                              • Opcode Fuzzy Hash: 60bac2dbcf486b484fd8edb7a338e1cfbf0ddd4389093eb7d5b855bee5dfed36
                                                              • Instruction Fuzzy Hash: 27217270A41299AFEF01DFB8DC9299EB7F8EF55210F904672EA40A7245E7709E80D690
                                                              Function 50016A84 Relevance: 12.1, APIs: 8, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AA8
                                                                • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AC1
                                                                • Part of subcall function 50009EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 50009EC4
                                                              • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AC9
                                                                • Part of subcall function 5001B48C: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120 ref: 5001B497
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AE1
                                                              • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AE9
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016B07
                                                              • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016B0F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$FromString$Char$qqrr20StringbSysutils@$Int$qqrx20$AnsiInternalStr$qqrr20Stringx20Stringx27System@%T$us$i0$%$Asg$qqrr20Cat$qqrr20CharLen$qqrr20Long$qqrx20Soundex$qqrx20Str$qqriStringiStringpbiStringriStrutils@
                                                              • String ID:
                                                              • API String ID: 1727032514-0
                                                              • Opcode ID: 9544c1ba6febaeb11602175b13897d1a00f0a9f904f52e82c35a4ea79f3a4763
                                                              • Instruction ID: 73112111d8c23333898401fd14fec3439d1d4c23f5a36a265c86c13f67aa07f8
                                                              • Opcode Fuzzy Hash: 9544c1ba6febaeb11602175b13897d1a00f0a9f904f52e82c35a4ea79f3a4763
                                                              • Instruction Fuzzy Hash: 98119370B051489FDB04EFE4DC929EEB3A6EBD4210B55C376A9008374AEB38AE459694
                                                              Function 5000D4C4 Relevance: 12.1, APIs: 8, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D4E2
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D4F4
                                                                • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D4FD
                                                              • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D508
                                                                • Part of subcall function 5000CE0C: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,?,5000D50D,?,00000000,5000D54A), ref: 5000CE34
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D519
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D525
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D52F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$String$Asg$qqrr20Stringx20$Length$qqrr20Stringi$AnsiByteCharChar$qqrx20Clr$qqrpvFromMem$qqrrpviMultiReallocStr$qqrr20Stringx27System@%T$us$i0$%Unicode$qqrpbuipcuiUtf8Wide
                                                              • String ID:
                                                              • API String ID: 1178600862-0
                                                              • Opcode ID: f46a319949a0f8be63f242d61074621778d9a0e6e5d67ca0fbb5c852c94508df
                                                              • Instruction ID: b68bba9100bf9d62a181cd0ba84c1bf9c83d5d046ee87d3bee0c1ba5abf9dfab
                                                              • Opcode Fuzzy Hash: f46a319949a0f8be63f242d61074621778d9a0e6e5d67ca0fbb5c852c94508df
                                                              • Instruction Fuzzy Hash: 26016830601AC8ABFB10CFB5DCB299EB7EADF95204BE08A73F80087111EA30DE01C590
                                                              Function 5000B2CC Relevance: 10.6, APIs: 7, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B31F
                                                              • @System@@WStrAsg$qqrr17System@WideStringx17System@WideString.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B336
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B34D
                                                              • @System@@CopyArray$qqrv.RTL120(?,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B386
                                                              • @System@@CopyRecord$qqrv.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B39A
                                                              • @System@@IntfCopy$qqrr45System@%DelphiInterface$t17System@IInterface%x45System@%DelphiInterface$t17System@IInterface%.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B3B5
                                                              • @System@@DynArrayAsg$qqrv.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B3CB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$CopyDelphiInterface$t17StringSystem@%UnicodeWide$ArrayArray$qqrvAsg$qqrpvpxvAsg$qqrr17Asg$qqrr20Asg$qqrvCopy$qqrr45Interface%Interface%x45IntfRecord$qqrvStringx17Stringx20
                                                              • String ID:
                                                              • API String ID: 2237906399-0
                                                              • Opcode ID: b04e6cb788995e5d8afb73564426f797f1c67d65cb384e711102801db3d5bd43
                                                              • Instruction ID: 17e68543b33f0793b23223b217cdc46ee77ba68b7f488055d9e3e5e4418e0c98
                                                              • Opcode Fuzzy Hash: b04e6cb788995e5d8afb73564426f797f1c67d65cb384e711102801db3d5bd43
                                                              • Instruction Fuzzy Hash: 0B31C2B2B049988BF3207A49ECB179AF3D2AB94314FF54336D649D3312D671EE119681
                                                              Function 50027BBC Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 50027BD1
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027CD0), ref: 50027BFE
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027CD0), ref: 50027C38
                                                              • @Sysutils@NextCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027CD0), ref: 50027C55
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027CD0), ref: 50027C8D
                                                              • @Sysutils@NextCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027CD0), ref: 50027CA8
                                                              • @System@@LStrClr$qqrpv.RTL120(50027CD7), ref: 50027CCA
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AnsiStringSystem@%System@@$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Internal$CharIndex$qqrx27NextSysutils@T$us$i0$%i$Clr$qqrpvRef$qqrpv
                                                              • String ID:
                                                              • API String ID: 360761928-0
                                                              • Opcode ID: 094be7fb4b332f3584b311a85b3cf5a89501829387b4e68e140eca991bc94513
                                                              • Instruction ID: 116a533da1986bff42e015f6ef194d79bf04bfc9b8e4ea4b873e8cb7479415cf
                                                              • Opcode Fuzzy Hash: 094be7fb4b332f3584b311a85b3cf5a89501829387b4e68e140eca991bc94513
                                                              • Instruction Fuzzy Hash: D7316030A06186DFCB11DF78EA915BDB7F5FF44300B6046BAE448D7256D771AE409B90
                                                              Function 5000B440 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B4C0
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B4DF
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,5000B53E), ref: 5000B4F5
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B47B
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B512
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%Unicode$Internal$Move$qqrpxvpvi
                                                              • String ID:
                                                              • API String ID: 2269240621-0
                                                              • Opcode ID: 07a4e3b2a30b5038fec9cdcacff2e7d97685f54e4cb4140f115b55e76aca54ed
                                                              • Instruction ID: ab6cb9ca280b5cfd23ec245c9f52380a76360824adbb00bdbbb02a50cc25d4fa
                                                              • Opcode Fuzzy Hash: 07a4e3b2a30b5038fec9cdcacff2e7d97685f54e4cb4140f115b55e76aca54ed
                                                              • Instruction Fuzzy Hash: 11318E30700689DBBB11EFA8DAA266DB3F8EF49300BA046B5E601D7256E7B4DF40D750
                                                              Function 5001C3F4 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                              • @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Char$qqrx20Scan$qqrpxbbSysutils@
                                                              • String ID:
                                                              • API String ID: 3324498720-0
                                                              • Opcode ID: bf26a2b97ca58175508d886ed96bf389f4343cc66bbe0e155038a7790a10b8fe
                                                              • Instruction ID: e1cde9bc071b440c39512abc6ffcd83c64075ec29b59cb21d599069659e6d0c2
                                                              • Opcode Fuzzy Hash: bf26a2b97ca58175508d886ed96bf389f4343cc66bbe0e155038a7790a10b8fe
                                                              • Instruction Fuzzy Hash: 6621F530A046D9EFDB11CFA8DD6297DB3F8EF94620BA04266E90197255E734DE80D680
                                                              Function 50015AC8 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015B90), ref: 50015B01
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,50015B90), ref: 50015B12
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50015B90), ref: 50015B19
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015B90), ref: 50015B38
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015B90), ref: 50015B65
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Char$qqrx20Length$qqrr20Stringi
                                                              • String ID:
                                                              • API String ID: 1537914859-0
                                                              • Opcode ID: 1e13e7f021d760450b2d22ee9921c6ee7e773aeb530b874d90593081222a90d2
                                                              • Instruction ID: c8b1f13dae7ebe80b3f85388a8d19f916493298cae09e507b059e2df6187fb7d
                                                              • Opcode Fuzzy Hash: 1e13e7f021d760450b2d22ee9921c6ee7e773aeb530b874d90593081222a90d2
                                                              • Instruction Fuzzy Hash: CF218030B0428ADFEB11DFB8DDD196AB3F9EF4820076042B6E601DB255E770DE81D644
                                                              Function 500285BC Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028602
                                                              • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028622
                                                                • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 5002776B
                                                                • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277A2
                                                                • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277D2
                                                                • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277F8
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028648
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028651
                                                              • @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 5002865B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@$ByteChar$qqrx20Scan$qqrpxbbStringiType$qqrx20
                                                              • String ID:
                                                              • API String ID: 3411762798-0
                                                              • Opcode ID: d35db2a1ea66179b42cdae8437c045958a1c07e860a6d77cbb9ac8bb00c72174
                                                              • Instruction ID: a8f6eb758e1e06c8c1c440b87328b3b1e64a0ab06fc938b2605612978542ffee
                                                              • Opcode Fuzzy Hash: d35db2a1ea66179b42cdae8437c045958a1c07e860a6d77cbb9ac8bb00c72174
                                                              • Instruction Fuzzy Hash: 8621D234603286EF9F11CFA4F9468AD73F9EF54240B5146A6E900D7212D770DE02D790
                                                              Function 500168C0 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500168EE
                                                                • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 5001690C
                                                                • Part of subcall function 50009EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 50009EC4
                                                              • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016914
                                                                • Part of subcall function 5001B48C: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120 ref: 5001B497
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 5001693A
                                                              • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016942
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$FromString$Char$qqrr20StringbSysutils@$AnsiInt$qqrx20InternalStr$qqrr20Stringx20Stringx27System@%T$us$i0$%$Asg$qqrr20Cat$qqrr20CharLen$qqrr20Long$qqrx20Soundex$qqrx20Str$qqriStringiStringpbiStringriStrutils@
                                                              • String ID:
                                                              • API String ID: 2274701456-0
                                                              • Opcode ID: ac56bb5497c64dd101285ab6a25fa0cdf7d2c5530a325b6ab08d65c0f87a2b94
                                                              • Instruction ID: c54646ffe945ded697551258782202c198b97f85722a43d93f103e696720e317
                                                              • Opcode Fuzzy Hash: ac56bb5497c64dd101285ab6a25fa0cdf7d2c5530a325b6ab08d65c0f87a2b94
                                                              • Instruction Fuzzy Hash: 6621D731E041986BDB05CBE8CC52AAEB7FEDF85200B55C3B6E84093246E6749E449690
                                                              Function 50031424 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantCopy.OLEAUT32(00000000,00000000), ref: 50031445
                                                              • @Variants@VarResultCheck$qqrl.RTL120(00000000,00000000,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 5003144A
                                                                • Part of subcall function 50031010: VariantClear.OLEAUT32(?), ref: 5003101F
                                                                • Part of subcall function 50031010: @Variants@VarResultCheck$qqrl.RTL120(?,?,?,?,500310B6,50030FEB), ref: 50031024
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 5003146B
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031489
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Check$qqrlResultSystem@System@@UnicodeVariantVariants@$Asg$qqrpvpxvAsg$qqrr20ClearCopyStringStringx20
                                                              • String ID:
                                                              • API String ID: 2751304118-0
                                                              • Opcode ID: 47edba981e59826270ba9347fc8f56c62352a95c8f4581b4b0b067ba06d8f3f1
                                                              • Instruction ID: ee00f14aff617dd426c24f8c2058554ec1a3e359a2800c497603794938079f51
                                                              • Opcode Fuzzy Hash: 47edba981e59826270ba9347fc8f56c62352a95c8f4581b4b0b067ba06d8f3f1
                                                              • Instruction Fuzzy Hash: 97116D207122908FDB22DF65D8C55CB73E6AF89750F289A67E949CB21BDA71CC41C3A1
                                                              Function 5003546C Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@FindCustomVariantType$qqrxusrp27Variants@TCustomVariantType.RTL120(00000000,50035537,?,?), ref: 5003549F
                                                              • VariantInit.OLEAUT32(?), ref: 500354B1
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,?,?,00000000,50035537,?,?), ref: 500354DD
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000000,50035537,?,?), ref: 500354EF
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,?,?,00000000,50035537,?,?), ref: 500354FA
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(5003551C,00000000,50035537,?,?), ref: 5003550F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@UnicodeVariant$CustomFromVariants@$Char$qqrr20Clear$qqrr8Copy$qqrx20DataFindInitStr$qqrr17StringStringiiStringpbStringx20TypeType$qqrxusrp27Variants@@Wide
                                                              • String ID:
                                                              • API String ID: 865651308-0
                                                              • Opcode ID: 8763aa30a9ec946c4e0ccce781f236a018d130b964ecc377f3df87a6c44489d8
                                                              • Instruction ID: 07e9fd6144ba846feccbf1d2d5f50ea28c486a3094c34e7fb266922d472c4f6f
                                                              • Opcode Fuzzy Hash: 8763aa30a9ec946c4e0ccce781f236a018d130b964ecc377f3df87a6c44489d8
                                                              • Instruction Fuzzy Hash: 2421C530A046889FDF06CFA4D851AEEB7F9EF89301F5186B6E804E3651D735AE04CA60
                                                              Function 5002C9C8 Relevance: 10.6, APIs: 7, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002CA02
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002C9FD
                                                                • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002CA27
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002CA2C
                                                              • @Sysutils@TStringBuilder@set_Length$qqri.RTL120 ref: 5002CA38
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5002CA59
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5002CA71
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@$Sysutils@$RaiseRecxiUnicode$Except$qqrvException@$bctr$qqrp20Move$qqrpxvpviRecpx14$Asg$qqrr20Builder@set_ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20Length$qqriList$qqrvLoadMetaString$qqrp20Stringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 443726296-0
                                                              • Opcode ID: fc14187b7c7c042736da71d428de2dbcd4819c84bd0ff01dd216d439d3ad4659
                                                              • Instruction ID: 6731962c89c81303a3c1bfd03d19d81f0425a5c77e81de43e71a57f9a9c288b4
                                                              • Opcode Fuzzy Hash: fc14187b7c7c042736da71d428de2dbcd4819c84bd0ff01dd216d439d3ad4659
                                                              • Instruction Fuzzy Hash: 72218330B0118A9FD710DFA8EDC1E9DB7B9AF54318F5482AAE904CB356DA31ED058BD0
                                                              Function 5001A684 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A736), ref: 5001A6C0
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6DF
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6F5
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A700
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001A736), ref: 5001A71B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@$System@@$String$AnsiEnsureFromStr$qqrr20String$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Copy$qqrx20InternalStringiiStringx20
                                                              • String ID:
                                                              • API String ID: 1585887659-0
                                                              • Opcode ID: 0af96fd3c9c2fbfef1c1b0d62c2197b1e7fe4d8968c3db8f64cb212c1ac6a178
                                                              • Instruction ID: d5e3eb8225a1e12af050891a21ba8373cf4462a52880f1e6278f7a9667c98c84
                                                              • Opcode Fuzzy Hash: 0af96fd3c9c2fbfef1c1b0d62c2197b1e7fe4d8968c3db8f64cb212c1ac6a178
                                                              • Instruction Fuzzy Hash: DC11D630A00398DFDB14DFA8DD9299DB3F8EF45200B958277E540D3166D7709F80D681
                                                              Function 50033038 Relevance: 10.6, APIs: 7, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@@VarToWStr$qqrr17System@WideStringrx8TVarData.RTL120(00000000,500330EA,?,?,00000000,00000000,00000000,?,500333B2,?,?,50031DED,?,?,00000000,00000000), ref: 50033057
                                                              • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(?,?,00000000,00000000,00000000,?,500333B2,?,?,50031DED,?,?,00000000,00000000,00000000), ref: 50033099
                                                              • @Sysutils@TryStrToBool$qqrx20System@UnicodeStringro.RTL120(?,?,00000000,00000000,00000000,?,500333B2,?,?,50031DED,?,?,00000000,00000000,00000000), ref: 500330A4
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,00000000,00000000,00000000,?,500333B2,?,?,50031DED,?,?,00000000,00000000,00000000), ref: 500330B9
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,00000000,00000000,00000000,?,500333B2,?,?,50031DED,?,?,00000000,00000000,00000000), ref: 500330C7
                                                              • @System@@WStrClr$qqrpv.RTL120(500330F1,00000000,00000000,?,500333B2,?,?,50031DED,?,?,00000000,00000000,00000000,?,50032154,00000000), ref: 500330E4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Check$qqrlususResultSystem@@UnicodeVariants@Wide$Bool$qqrx20Clr$qqrpvDataFromStr$qqrr17Str$qqrr20StringStringroStringrx8Stringx17Sysutils@Variants@@
                                                              • String ID:
                                                              • API String ID: 1173768992-0
                                                              • Opcode ID: 7b914f00c9d1e401b406d1a73b76230443df93573383ae0a0ee94260c994b2a9
                                                              • Instruction ID: a8a60db5bc0cf9a1b353983a5c4ec67a200eb5b5549c599d3b08386a8bf96e57
                                                              • Opcode Fuzzy Hash: 7b914f00c9d1e401b406d1a73b76230443df93573383ae0a0ee94260c994b2a9
                                                              • Instruction Fuzzy Hash: D611C830600188AFDB16DBA8DCA2BDD73F9EB49700F608772F600E7255D775AE09C651
                                                              Function 5002D4FC Relevance: 10.6, APIs: 7, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002D532
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002D52D
                                                                • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002D555
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002D55A
                                                              • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D562
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002D587
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002D58C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$String$RaiseRecxiSysutils@$Except$qqrvException@$bctr$qqrp20Recpx14Unicode$ArrayAsg$qqrr20ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20Length$qqrvList$qqrvLoadMetaString$qqrp20Stringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 3522162408-0
                                                              • Opcode ID: 9cf405c63ed00766f81164b75ac821440813d4a1dc3845d93976b10434bf8ae2
                                                              • Instruction ID: 47428fe981a4d071b565a4daeec592a8c0e379a3984f211a2d94abaeb810db43
                                                              • Opcode Fuzzy Hash: 9cf405c63ed00766f81164b75ac821440813d4a1dc3845d93976b10434bf8ae2
                                                              • Instruction Fuzzy Hash: 0811A231E05699ABDB10DFD8F8C1B9DB7B8AB14308F4081AAE90497252DA719E00CBA0
                                                              Function 5002A558 Relevance: 10.6, APIs: 7, Instructions: 60windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@SafeLoadLibrary$qqrx20System@UnicodeStringui.RTL120(00000000,5002A618), ref: 5002A57F
                                                                • Part of subcall function 5002B630: SetErrorMode.KERNEL32(00008000), ref: 5002B63A
                                                                • Part of subcall function 5002B630: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002B684,?,00000000,5002B6A2,?,00008000), ref: 5002B663
                                                                • Part of subcall function 5002B630: LoadLibraryW.KERNEL32(00000000,00000000,5002B684,?,00000000,5002B6A2,?,00008000), ref: 5002B669
                                                              • GetLastError.KERNEL32(00000000,5002A618), ref: 5002A594
                                                              • @Sysutils@SysErrorMessage$qqrui.RTL120(00000000,5002A618), ref: 5002A59C
                                                                • Part of subcall function 50025B28: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B47
                                                                • Part of subcall function 50025B28: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B69
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5002A618), ref: 5002A5BE
                                                                • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5002A618), ref: 5002A5C3
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@InitializePackage$qqruipqqrui$o.RTL120(00000000,5002A5EA,?,00000000,5002A618), ref: 5002A5DB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$Sysutils@$String$ErrorLoad$RaiseRecxi$Asg$qqrr20CharChar$qqrx20ClassClassoCreate$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrp20FormatFormat$qqrx20FromInitializeLastLen$qqrr20LibraryLibrary$qqrx20List$qqrvMessageMessage$qqruiMetaModePackage$qqruipqqrui$oRecpx14SafeString$qqrp20StringpbiStringpx14StringuiStringx20
                                                              • String ID:
                                                              • API String ID: 3738557425-0
                                                              • Opcode ID: fe5b3e8d2f5ffc72b2367006201fb38f46a8a440544c7033cdf5550ca43c16ae
                                                              • Instruction ID: d7048bc2172d421995a8c02b2ad295fbd71a2bff1422e86dc26ccdf7dab828b2
                                                              • Opcode Fuzzy Hash: fe5b3e8d2f5ffc72b2367006201fb38f46a8a440544c7033cdf5550ca43c16ae
                                                              • Instruction Fuzzy Hash: 801108309066999FE705CFA4FC529AEBBF8EB59310F504576F504E3241DB745E00C7A0
                                                              Function 5001046C Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104AC
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104B1
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104C2
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104DF
                                                              • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(?,00000000,50010520,?,?,?,00000000,00000000), ref: 500104F5
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 50010500
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$Char$qqrr20FromStringb$Cat3$qqrr20Except$qqrvException@$bctr$qqrp20RaiseStringStringt2Stringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 1860790855-0
                                                              • Opcode ID: caeef3e0a6f3d13820a5c3a4a28f008e23b8d367d4d1577ca5722a4c6e0df794
                                                              • Instruction ID: c00f10eb4ef58a00c0e347cc1ac883bdfb410f2ed051d6b945eaac8d7ac344f1
                                                              • Opcode Fuzzy Hash: caeef3e0a6f3d13820a5c3a4a28f008e23b8d367d4d1577ca5722a4c6e0df794
                                                              • Instruction Fuzzy Hash: EE1126716053C49BFB10DAA4ECD1BDFB39AEF48310F604277FA4083745D9B99E804691
                                                              Function 5002B9E8 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@DynArrayLength$qqrv.RTL120 ref: 5002B9FE
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002BA29
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002BA24
                                                                • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002BA4C
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002BA51
                                                              • @Sysutils@TStringBuilder@set_Length$qqri.RTL120 ref: 5002BA5D
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5002BA77
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$String$Sysutils@$RaiseRecxiUnicode$Except$qqrvException@$bctr$qqrp20Recpx14$ArrayAsg$qqrr20Builder@set_ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20Length$qqriLength$qqrvList$qqrvLoadMetaMove$qqrpxvpviString$qqrp20Stringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 2784925796-0
                                                              • Opcode ID: 1667041f6e4c4e04a8d4a2e82b0d72eb47a86ad2971957d0b5d070b1c05cbe15
                                                              • Instruction ID: cb949063882ccfe4f8492ee94f7a12960d0db32fb565db7cba8276b964dc1cb1
                                                              • Opcode Fuzzy Hash: 1667041f6e4c4e04a8d4a2e82b0d72eb47a86ad2971957d0b5d070b1c05cbe15
                                                              • Instruction Fuzzy Hash: 6C118630A025859BD710DFACFD81AADB7B9AF54318F5482AAE904DB352DA719D048BD0
                                                              Function 5001A43C Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A474
                                                              • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A480
                                                              • CharUpperBuffW.USER32(?,?,00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A490
                                                              • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A49C
                                                              • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A4A7
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A4B2
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Wide$FromUnicode$CharUpper$AnsiBuffCase$qqrx20Char$qqrx17Len$qqrr17Str$qqrr17Str$qqrr20StringpbiStringx17Stringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 534983715-0
                                                              • Opcode ID: 5d27df0171de173af17c0cc5cb6ee76833d8b56f58fc8406f40f8d3b55e42c42
                                                              • Instruction ID: 33202aa56892b5c3d98ea78cec372edfaed5d9f2320c7c772028933169ede13c
                                                              • Opcode Fuzzy Hash: 5d27df0171de173af17c0cc5cb6ee76833d8b56f58fc8406f40f8d3b55e42c42
                                                              • Instruction Fuzzy Hash: D711A530B01794ABEB10CBE8DD51B9DB3E8DB9A200F908672F900E3741D774DE458794
                                                              Function 5001A4E0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A518
                                                              • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A524
                                                              • CharLowerBuffW.USER32(?,?,00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A534
                                                              • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A540
                                                              • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A54B
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A556
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Wide$FromUnicode$CharLower$AnsiBuffCase$qqrx20Char$qqrx17Len$qqrr17Str$qqrr17Str$qqrr20StringpbiStringx17Stringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 176228272-0
                                                              • Opcode ID: 644b9fb92c3d6ef07a5067c8370350d292bcda6fbce292a46e7a1feb9069b290
                                                              • Instruction ID: d20671b8514017f2aeb96368901a0b64a7eab2f548f792ed05b88fe4d05113d0
                                                              • Opcode Fuzzy Hash: 644b9fb92c3d6ef07a5067c8370350d292bcda6fbce292a46e7a1feb9069b290
                                                              • Instruction Fuzzy Hash: D0115230B05694ABEB10CBA8DD51B9DB7E9EB4A600FD146B2F900E7341DA30DE458A94
                                                              Function 5000A89C Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@DynArrayLength$qqrv.RTL120 ref: 5000A8A6
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A8B2
                                                                • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                              • @System@@UniqueStringU$qqrr20System@UnicodeString.RTL120 ref: 5000A8C9
                                                              • @System@@UniqueStringU$qqrr20System@UnicodeString.RTL120 ref: 5000A8EC
                                                              • @System@@DynArrayLength$qqrv.RTL120 ref: 5000A91E
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A92C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$StringSystem@Unicode$ArrayLength$qqrr20Length$qqrvStringiU$qqrr20Unique$AnsiClr$qqrpvFromMem$qqrrpviReallocStr$qqrr20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 63268518-0
                                                              • Opcode ID: d8794426dce69a8afdf5edacf3f7190b1c801e4214ab63c3ffaa2eb2339d506f
                                                              • Instruction ID: 589278789b040e58112a918f3487c0d04965380cb2fd0c6ea7f3740b3ad11151
                                                              • Opcode Fuzzy Hash: d8794426dce69a8afdf5edacf3f7190b1c801e4214ab63c3ffaa2eb2339d506f
                                                              • Instruction Fuzzy Hash: 2001DD103125694EE3117FAE9851BBBB2D6DFF22117818336F145C763ADFA84946C2C0
                                                              Function 5002A448 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 5002A3F8: @Sysutils@HashName$qqrpc.RTL120 ref: 5002A412
                                                                • Part of subcall function 5000E884: GetProcAddress.KERNEL32(?,?), ref: 5000E8A8
                                                                • Part of subcall function 5000E884: @System@@LStrClr$qqrpv.RTL120(5000E8EE,?,?,00000000), ref: 5000E8E1
                                                              • @Sysutils@GetModuleName$qqrui.RTL120(?,Initialize,00000000,5002A4DD), ref: 5002A48C
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,?,Initialize,00000000,5002A4DD), ref: 5002A4A9
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,?,Initialize,00000000,5002A4DD), ref: 5002A4B8
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,Initialize,00000000,5002A4DD), ref: 5002A4BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Sysutils@$System@@$AddressClr$qqrpvExcept$qqrvException@$bctr$qqrx20HashLoadModuleName$qqrpcName$qqruiProcRaiseRecxiStringString$qqrp20Stringpx14Unicode
                                                              • String ID: Initialize
                                                              • API String ID: 1682061199-2538663250
                                                              • Opcode ID: ab808db70563f3f0fa6552d98e969f741daa7b01a3021ac412289ab684d2b595
                                                              • Instruction ID: 46ff4c201679bb6a9b3a02cb542a9fa2f8a22491ac8c3f2d76804c6127a1f597
                                                              • Opcode Fuzzy Hash: ab808db70563f3f0fa6552d98e969f741daa7b01a3021ac412289ab684d2b595
                                                              • Instruction Fuzzy Hash: EC11C875A066995FD714EBE8FC5199EB7B8EF99300F80466AF814D3341DE74990086A0
                                                              Function 50031010 Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantClear.OLEAUT32(?), ref: 5003101F
                                                              • @Variants@VarResultCheck$qqrl.RTL120(?,?,?,?,500310B6,50030FEB), ref: 50031024
                                                              • @System@@LStrClr$qqrpv.RTL120(?,?,?,500310B6,50030FEB), ref: 5003103A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Check$qqrlClearClr$qqrpvResultSystem@@VariantVariants@
                                                              • String ID:
                                                              • API String ID: 452420788-0
                                                              • Opcode ID: eb70d2b8eab186a06ea140340b4e8703a8d7132057e564f3d20b5dcbcbd0fb7d
                                                              • Instruction ID: 52db8ca31b00b2e44e7104484223e2f8e7d0f429c131b9206ee594ad239fc269
                                                              • Opcode Fuzzy Hash: eb70d2b8eab186a06ea140340b4e8703a8d7132057e564f3d20b5dcbcbd0fb7d
                                                              • Instruction Fuzzy Hash: 9D01D4117061D08E9B2EBB74E8955DE27DA9F5C200F685B73F004AB127CBF98CC583A2
                                                              Function 5002C12C Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002C13F
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C165
                                                              • @Strutils@MidStr$qqrx17System@WideStringxixi.RTL120(?,?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C174
                                                              • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C17F
                                                              • @Sysutils@TStringBuilder@$bctr$qqrx20System@UnicodeStringi.RTL120(?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C18B
                                                              • @System@@WStrArrayClr$qqrpvi.RTL120(5002C1BA,?,?,?,00000000,00000000,00000000), ref: 5002C1A5
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$StringUnicodeWide$From$ArrayBuilder@$bctr$qqrx20ClassClassoClr$qqrpviCreate$qqrp17MetaStr$qqrr17Str$qqrr20Str$qqrx17StringiStringx17Stringx20StringxixiStrutils@Sysutils@
                                                              • String ID:
                                                              • API String ID: 3564302108-0
                                                              • Opcode ID: a080771f1c208bee87336802870a022ba774bc40fe05722359fd5bb0d4ea6352
                                                              • Instruction ID: 58922c8f4528d5c8cfb5e260768a024238476e9fd86c34fd90099dd993f29032
                                                              • Opcode Fuzzy Hash: a080771f1c208bee87336802870a022ba774bc40fe05722359fd5bb0d4ea6352
                                                              • Instruction Fuzzy Hash: B1019231A01549ABDB15CB94EC92EDEB7B9DF89710FA08263F90497291DB30AE118690
                                                              Function 50028934 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@StrNew$qqrpxc.RTL120 ref: 50028947
                                                              • @Sysutils@StrLower$qqrpc.RTL120 ref: 5002894C
                                                              • @Sysutils@StrNew$qqrpxc.RTL120(00000000,500289AE), ref: 50028964
                                                                • Part of subcall function 5001DFD8: @Sysutils@StrLen$qqrpxc.RTL120(?,?,5002894C), ref: 5001DFE7
                                                                • Part of subcall function 5001DFD8: @Sysutils@AnsiStrAlloc$qqrui.RTL120(?,?,5002894C), ref: 5001DFF1
                                                                • Part of subcall function 5001DFD8: @Sysutils@StrMove$qqrpcpxcui.RTL120(?,?,5002894C), ref: 5001DFFA
                                                              • @Sysutils@StrLower$qqrpc.RTL120(00000000,500289AE), ref: 50028969
                                                              • @Sysutils@StrPos$qqrpxct1.RTL120(00000000,500289AE), ref: 50028977
                                                              • @Sysutils@StrDispose$qqrpc.RTL120(500289B5), ref: 500289A0
                                                              • @Sysutils@StrDispose$qqrpc.RTL120(500289B5), ref: 500289A8
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sysutils@$Dispose$qqrpcLower$qqrpcNew$qqrpxc$Alloc$qqruiAnsiLen$qqrpxcMove$qqrpcpxcuiPos$qqrpxct1
                                                              • String ID:
                                                              • API String ID: 3159898584-0
                                                              • Opcode ID: 65390a648ab706a9b4138e702ec1e558a2639dcf986a1068156ad4c86a6bf754
                                                              • Instruction ID: 6b6a953f60cceed264f0bcce53d0f64a15a6626de01668e467ade48e568e826d
                                                              • Opcode Fuzzy Hash: 65390a648ab706a9b4138e702ec1e558a2639dcf986a1068156ad4c86a6bf754
                                                              • Instruction Fuzzy Hash: 58012C71A12A88AFCB01DFF8EC4159DBBF5EF49200F5186BAF414E3241D6345E82CB91
                                                              Function 500289C0 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@StrNew$qqrpxb.RTL120 ref: 500289D3
                                                              • @Sysutils@StrLower$qqrpb.RTL120 ref: 500289D8
                                                                • Part of subcall function 5001DF24: @Sysutils@StrLen$qqrpxb.RTL120(?,?,500289DD), ref: 5001DF2C
                                                              • @Sysutils@StrNew$qqrpxb.RTL120(00000000,50028A3A), ref: 500289F0
                                                                • Part of subcall function 5001E004: @Sysutils@StrLen$qqrpxb.RTL120(?,?,500289D8), ref: 5001E013
                                                                • Part of subcall function 5001E004: @Sysutils@WideStrAlloc$qqrui.RTL120(?,?,500289D8), ref: 5001E01D
                                                                • Part of subcall function 5001E004: @Sysutils@StrMove$qqrpbpxbui.RTL120(?,?,500289D8), ref: 5001E026
                                                              • @Sysutils@StrLower$qqrpb.RTL120(00000000,50028A3A), ref: 500289F5
                                                              • @Sysutils@StrPos$qqrpxbt1.RTL120(00000000,50028A3A), ref: 50028A03
                                                              • @Sysutils@StrDispose$qqrpb.RTL120(50028A41), ref: 50028A2C
                                                              • @Sysutils@StrDispose$qqrpb.RTL120(50028A41), ref: 50028A34
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sysutils@$Dispose$qqrpbLen$qqrpxbLower$qqrpbNew$qqrpxb$Alloc$qqruiMove$qqrpbpxbuiPos$qqrpxbt1Wide
                                                              • String ID:
                                                              • API String ID: 2681763821-0
                                                              • Opcode ID: dde631375cb4bb7d56f948556d53dd842de3bc36197af2cee0c4b0b25e22cf47
                                                              • Instruction ID: 6bbc18074bfaf3f13c2d9ba9562f9445baf5c414cd24152d0a15d7c6618943bb
                                                              • Opcode Fuzzy Hash: dde631375cb4bb7d56f948556d53dd842de3bc36197af2cee0c4b0b25e22cf47
                                                              • Instruction Fuzzy Hash: 97012C71A02688AFDB01DFF8EC4168DB7F4EF18300F5186B6F514E3241DA749E818B95
                                                              Function 50005654 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrClr$qqrpv.RTL120 ref: 5000565F
                                                                • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                              • @System@@ReadString$qqrr15System@TTextRecp28System@%SmallString$iuc$255%i.RTL120 ref: 50005673
                                                              • @System@@LStrFromString$qqrr27System@%AnsiStringT$us$i0$%rx28System@%SmallString$iuc$255%us.RTL120 ref: 5000567E
                                                              • @System@@ReadString$qqrr15System@TTextRecp28System@%SmallString$iuc$255%i.RTL120 ref: 50005692
                                                              • @System@@LStrFromString$qqrr27System@%AnsiStringT$us$i0$%rx28System@%SmallString$iuc$255%us.RTL120(00000000), ref: 5000569F
                                                              • @System@@LStrCat$qqrv.RTL120(00000000), ref: 500056A9
                                                                • Part of subcall function 50008C34: @System@@LStrSetLength$qqrv.RTL120(?,?,?,500056AE,00000000), ref: 50008C5B
                                                                • Part of subcall function 50008C34: @System@@LStrAsg$qqrpvpxv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C72
                                                                • Part of subcall function 50008C34: @System@Move$qqrpxvpvi.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C81
                                                                • Part of subcall function 50008C34: @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C8E
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 500056B0
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@%$Small$Clr$qqrpvSystem@$AnsiFromReadRecp28StringString$iuc$255%iString$iuc$255%usString$qqrr15String$qqrr27T$us$i0$%rx28Text$Asg$qqrpvpxvCat$qqrvFreeLength$qqrvMem$qqrpvMove$qqrpxvpvi
                                                              • String ID:
                                                              • API String ID: 662791780-0
                                                              • Opcode ID: 322fabd3b3d09446b172a1f4d472e40869cc5ee6efa0138ea9fa57a789ac56db
                                                              • Instruction ID: 1597da7cb89d32d484f3510e975d69330bfa973a8168dd2e4a5d6276ee6f1995
                                                              • Opcode Fuzzy Hash: 322fabd3b3d09446b172a1f4d472e40869cc5ee6efa0138ea9fa57a789ac56db
                                                              • Instruction Fuzzy Hash: 9AF09A61B0628007F30822AC686227EB6C65FE9621FE4433AB1A8C73C6CD658C8203C7
                                                              Function 500042F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004321
                                                              • SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004327
                                                              • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004336
                                                              • SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004347
                                                              • @System@@LStrFromArray$qqrr27System@%AnsiStringT$us$i0$%pcius.RTL120(00000000,00000105,?), ref: 50004359
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CurrentDirectory$AnsiArray$qqrr27FromStringSystem@%System@@T$us$i0$%pcius
                                                              • String ID: :
                                                              • API String ID: 812956231-336475711
                                                              • Opcode ID: d4531ae81b963544f021ef1ea90c9204504484a3f5f4716b71b7cf15e618fe7b
                                                              • Instruction ID: 14dd6047c926db84beaf63a8d0797b2290f23bae7271ad8ecbc2d364b264a1e3
                                                              • Opcode Fuzzy Hash: d4531ae81b963544f021ef1ea90c9204504484a3f5f4716b71b7cf15e618fe7b
                                                              • Instruction Fuzzy Hash: 2DF09C712857C459F301D2A45862FDB72DC8F54305F884555BAC887282E6A4894483A3
                                                              Function 50004368 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 5000439E
                                                              • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 500043A4
                                                              • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 500043B3
                                                              • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 500043C4
                                                              • @System@@WStrFromWArray$qqrr17System@WideStringpbi.RTL120(00000105,?), ref: 500043D4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CurrentDirectory$Array$qqrr17FromStringpbiSystem@System@@Wide
                                                              • String ID: :
                                                              • API String ID: 3520144690-336475711
                                                              • Opcode ID: e61c8ef50fbd8babb1a17a426603306d17aff3204d3b54cd90e2a3508138ba61
                                                              • Instruction ID: e1ff67e176dda81c190dc6a9f1a3f12452a8938599ecb663bcea915995d7201c
                                                              • Opcode Fuzzy Hash: e61c8ef50fbd8babb1a17a426603306d17aff3204d3b54cd90e2a3508138ba61
                                                              • Instruction Fuzzy Hash: BEF0F6A118538465F300C7909862BEB72DCDF94300F84461A7AC8C7291E764854883A7
                                                              Function 5000AB98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 5000ABCF
                                                              • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 5000ABD5
                                                              • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 5000ABE4
                                                              • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 5000ABF5
                                                              • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000105,?), ref: 5000AC05
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CurrentDirectory$Array$qqrr20FromStringpbiSystem@System@@Unicode
                                                              • String ID: :
                                                              • API String ID: 4026256132-336475711
                                                              • Opcode ID: 2b68eb89cb681cd55a960e9aeb2ba1da6e076241664762a1b8a276035e057fc5
                                                              • Instruction ID: 6165d01f749eae26b9877707474b045894ddf7302f58902652f5679b52eb8e57
                                                              • Opcode Fuzzy Hash: 2b68eb89cb681cd55a960e9aeb2ba1da6e076241664762a1b8a276035e057fc5
                                                              • Instruction Fuzzy Hash: 16F02B7518278469F304D3909872EE773DCDF54344F84852A76CCC7192E778C48893A7
                                                              Function 50027CE0 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027D20
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027D56
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027DA8
                                                              • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027DC5
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%$Internal$CharIndex$qqrx20NextStringiSysutils@
                                                              • String ID:
                                                              • API String ID: 2978737052-0
                                                              • Opcode ID: c73c156cb122086d3bfbdf691ceee361a25d80e81030dc572f38091c61ab5db2
                                                              • Instruction ID: ac24b254b590086063bb5863af78a8b9939e5d05ce7cae268ce3fd422f29ff03
                                                              • Opcode Fuzzy Hash: c73c156cb122086d3bfbdf691ceee361a25d80e81030dc572f38091c61ab5db2
                                                              • Instruction Fuzzy Hash: AE31C430A0258ADFDB11DFA9EA819FDF3F5FF44300B6046A6D508A7265D770AE81CB50
                                                              Function 500310C0 Relevance: 9.1, APIs: 6, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@@DispInvoke$qp8TVarDatarx8TVarDatap16System@TCallDescpv.RTL120(?,?,?,?), ref: 500310E2
                                                              • VariantInit.OLEAUT32(?), ref: 50031100
                                                              • @Variants@FindCustomVariantType$qqrxusrp27Variants@TCustomVariantType.RTL120(00000000,500311B4,?,?), ref: 50031166
                                                              • @Variants@VarInvalidOp$qqrv.RTL120(00000000,500311B4,?,?), ref: 50031186
                                                              • @Variants@@VarCopy$qqrr8TVarDatarx8TVarData.RTL120(500311BB,?), ref: 500311A6
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(500311BB,?), ref: 500311AE
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: VariantVariants@Variants@@$CustomDataDatarx8$CallClear$qqrr8Copy$qqrr8Datap16DescpvDispFindInitInvalidInvoke$qp8Op$qqrvSystem@TypeType$qqrxusrp27
                                                              • String ID:
                                                              • API String ID: 3013499437-0
                                                              • Opcode ID: 5ac3dfb80ff6f8dbe992fc935fb1ad922ec3ea8af3cd2fded624ac4e5225a757
                                                              • Instruction ID: 51b27559867bc955ec8fe122dba071485ba265a6bf2b90f3f5acb68f7b654021
                                                              • Opcode Fuzzy Hash: 5ac3dfb80ff6f8dbe992fc935fb1ad922ec3ea8af3cd2fded624ac4e5225a757
                                                              • Instruction Fuzzy Hash: 70314D75A04288AFDB12DFA8D981ADE77FCEB0C240F544662FA04D3251D770DD90CBA1
                                                              Function 50028108 Relevance: 9.1, APIs: 6, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028208), ref: 5002814F
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028208), ref: 50028179
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50028208), ref: 500281B2
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50028208), ref: 500281DF
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AnsiFromStr$qqrr20StringStringx27System@System@%System@@T$us$i0$%Unicode$Internal
                                                              • String ID:
                                                              • API String ID: 2707610650-0
                                                              • Opcode ID: 82b5875e0cacdd6aef663cdc39e97f39450629254dff49b71527a16e955c069e
                                                              • Instruction ID: 393b429e180957fc2cfbae899d8291979aea1af8c2bec8120106278b796e9974
                                                              • Opcode Fuzzy Hash: 82b5875e0cacdd6aef663cdc39e97f39450629254dff49b71527a16e955c069e
                                                              • Instruction Fuzzy Hash: D8313C34B02186EBDB01DFB8E98299DB7F9EF44200B6086B6D500D7695E730EF55D740
                                                              Function 5001F77C Relevance: 9.1, APIs: 6, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?), ref: 5001F7D8
                                                              • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(?,?,?,?), ref: 5001F7F3
                                                              • @System@@WStrClr$qqrpv.RTL120 ref: 5001F812
                                                                • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F81B
                                                                • Part of subcall function 50009C30: @System@@NewWideString$qqri.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C40
                                                                • Part of subcall function 50009C30: @System@Move$qqrpxvpvi.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C6E
                                                              • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?), ref: 5001F845
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F85A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Wide$System@@$FormatSysutils@$Buf$qqrpvuipxvuipx14Length$qqrr17Recxirx24SettingsStringi$CharClr$qqrpvFreeFromLen$qqrr17Move$qqrpxvpviStringString$qqriStringpbi
                                                              • String ID:
                                                              • API String ID: 2345622591-0
                                                              • Opcode ID: f55d6f8b79e0f7ac82ec5d1309f64e9aceca909fd4ec5542df17d6911c072fd6
                                                              • Instruction ID: 727f941c8df5292463c23cd37930f27cc77a2850270d934a36b895f9e6f66720
                                                              • Opcode Fuzzy Hash: f55d6f8b79e0f7ac82ec5d1309f64e9aceca909fd4ec5542df17d6911c072fd6
                                                              • Instruction Fuzzy Hash: 42314F75F01549AFDB40CEADDC819AEB3F9EF58210B5082A6F918E7354DA30EE41CB90
                                                              Function 5001F698 Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxi.RTL120(?,?,?), ref: 5001F6F0
                                                              • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(?,?,?), ref: 5001F70B
                                                              • @System@@WStrClr$qqrpv.RTL120 ref: 5001F72A
                                                                • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F733
                                                                • Part of subcall function 50009C30: @System@@NewWideString$qqri.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C40
                                                                • Part of subcall function 50009C30: @System@Move$qqrpxvpvi.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C6E
                                                              • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxi.RTL120(?,?,?), ref: 5001F759
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F76E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Wide$System@@$Buf$qqrpvuipxvuipx14FormatLength$qqrr17RecxiStringiSysutils@$CharClr$qqrpvFreeFromLen$qqrr17Move$qqrpxvpviStringString$qqriStringpbi
                                                              • String ID:
                                                              • API String ID: 4105650016-0
                                                              • Opcode ID: 10139ca0b291b8347723082711ce525d742fa5c123425f79956b6c0e53db1538
                                                              • Instruction ID: 0f111183127a4ac1b74a776fd40eab0f620fc160a94f9ed32ff36730c38c6e24
                                                              • Opcode Fuzzy Hash: 10139ca0b291b8347723082711ce525d742fa5c123425f79956b6c0e53db1538
                                                              • Instruction Fuzzy Hash: FF315E75F05549ABEB00CEADDD8199EB3F9EF58210B5082B6E904E7390DA70EE41CB90
                                                              Function 5002772C Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 5002776B
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277A2
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277D2
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277F8
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AnsiFromStr$qqrr20StringStringx27System@System@%System@@T$us$i0$%Unicode$Internal
                                                              • String ID:
                                                              • API String ID: 2707610650-0
                                                              • Opcode ID: e7a70c3558bd8af8c47607f7dc99d6952102971f24995eeed80e251423e86636
                                                              • Instruction ID: 200609d8e3b54832c1637fbc2b58139f495729bdf34ff5c0e14a03cdfe71e056
                                                              • Opcode Fuzzy Hash: e7a70c3558bd8af8c47607f7dc99d6952102971f24995eeed80e251423e86636
                                                              • Instruction Fuzzy Hash: 1F31D730A06187EF9F11DFB8EB169BEB3F6EF402007A086A5D508D7155EB70DE42D681
                                                              Function 50029CF0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@PCharLen$qqrpc.RTL120(?,?,00000000,?,5002A1CB), ref: 50029C6A
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C7E
                                                              • @System@@GetMem$qqri.RTL120(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C91
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 50029CA7
                                                              • CharUpperBuffW.USER32(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CAE
                                                              • @System@@FreeMem$qqrpv.RTL120(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CDD
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Char$System@@$ByteMultiWide$BuffFreeLen$qqrpcMem$qqriMem$qqrpvUpper
                                                              • String ID:
                                                              • API String ID: 1645325746-0
                                                              • Opcode ID: 21fe9afe1a4d83a0676da24a77eaaefb3b218fec0eebcba249eb9c961a3e5a99
                                                              • Instruction ID: f7199de9386b15250c3ec5562f9d3cd908530842460295cde10b401094cd2a77
                                                              • Opcode Fuzzy Hash: 21fe9afe1a4d83a0676da24a77eaaefb3b218fec0eebcba249eb9c961a3e5a99
                                                              • Instruction Fuzzy Hash: C51129127832D62BFB302079BC92BFB66C9C7422A0FE50336F644D72C1D8444C0162E4
                                                              Function 5000B08C Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120(?,?,?,5000B069), ref: 5000B0D3
                                                              • @System@@WStrAddRef$qqrr17System@WideString.RTL120(?,?,?,5000B069), ref: 5000B0E2
                                                              • @System@@AddRefArray$qqrv.RTL120(?,?,?,?,5000B069), ref: 5000B10E
                                                              • @System@@AddRefRecord$qqrv.RTL120(?,?,?,?,5000B069), ref: 5000B124
                                                              • @System@@IntfAddRef$qqrx45System@%DelphiInterface$t17System@IInterface%.RTL120(?,?,?,5000B069), ref: 5000B134
                                                              • @System@@DynArrayAddRef$qqrv.RTL120(?,?,?,5000B069), ref: 5000B143
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$ArrayArray$qqrvDelphiInterface$t17Interface%IntfRecord$qqrvRef$qqrpvRef$qqrr17Ref$qqrvRef$qqrx45StringSystem@%Wide
                                                              • String ID:
                                                              • API String ID: 2012329709-0
                                                              • Opcode ID: f4ec387a1cd11effdb45d4b7d2cd1ee05245cfe1110f8ce66fbe9255a9397f64
                                                              • Instruction ID: 6d55af36f0b63116c874578287824143ce439da2b530ab690ffda4e0f3d9c361
                                                              • Opcode Fuzzy Hash: f4ec387a1cd11effdb45d4b7d2cd1ee05245cfe1110f8ce66fbe9255a9397f64
                                                              • Instruction Fuzzy Hash: 2921A431284EC447F621B74CECB2BE7B3D1EB663143D04B26E9918B219D664AC4396A5
                                                              Function 5000925C Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 50009281
                                                              • @System@@ReallocMem$qqrrpvi.RTL120(?,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 5000929E
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092B7
                                                              • @System@@NewAnsiString$qqrius.RTL120(?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092C8
                                                              • @System@Move$qqrpxvpvi.RTL120(?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092E0
                                                              • @System@@LStrClr$qqrpv.RTL120(?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092E7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiClr$qqrpvSystem@$FromMem$qqrrpviMove$qqrpxvpviReallocStr$qqrr27StringString$qqriusStringusSystem@%T$us$i0$%x20Unicode
                                                              • String ID:
                                                              • API String ID: 2700304443-0
                                                              • Opcode ID: 8ea68c66dfcedd19741d309cb17a95da812b4b11250355e603ccff5346edb9f3
                                                              • Instruction ID: 19fd1448c94dc337e7dea5b0d8d868d31cbff661868f48eb09bfe7f6c9d98fa6
                                                              • Opcode Fuzzy Hash: 8ea68c66dfcedd19741d309cb17a95da812b4b11250355e603ccff5346edb9f3
                                                              • Instruction Fuzzy Hash: BB1108317016905BFF459A5D9CA4B1EF3EAAFE16017E4427AE504CB369DEB0CC01C396
                                                              Function 50024778 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002482B), ref: 500247B6
                                                              • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,5002482B), ref: 500247E6
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F4
                                                                • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F9
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@$StringSystem@@$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$CharEnsureIndex$qqrx20Len$qqrx20NextString$qqrr20StringiSysutils@
                                                              • String ID:
                                                              • API String ID: 3710370719-0
                                                              • Opcode ID: 8b75fbade8f57a9a3d3cff76574fc1a2f37bac70cd31005b4f4dbd189082e660
                                                              • Instruction ID: c71702f12b748d452bae67db58d8c73811d6ffb118b8ba3891e4b339e8c778a6
                                                              • Opcode Fuzzy Hash: 8b75fbade8f57a9a3d3cff76574fc1a2f37bac70cd31005b4f4dbd189082e660
                                                              • Instruction Fuzzy Hash: ED21E43091A0DAEFDB91DBA8E8525ADB3F4EF06710B6107A2ED10D7261D3705E01E792
                                                              Function 50035B58 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@FindCustomVariantType$qqrxusrp27Variants@TCustomVariantType.RTL120(00000000,50035C10,?,?), ref: 50035B88
                                                              • VariantInit.OLEAUT32(?), ref: 50035B9A
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,?,?,00000000,50035C10,?,?), ref: 50035BC6
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000000,50035C10,?,?), ref: 50035BD8
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(50035BFA,00000000,50035C10,?,?), ref: 50035BED
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Variant$CustomSystem@System@@UnicodeVariants@$Char$qqrr20Clear$qqrr8Copy$qqrx20DataFindFromInitStringiiStringpbTypeType$qqrxusrp27Variants@@
                                                              • String ID:
                                                              • API String ID: 3086420749-0
                                                              • Opcode ID: 40e2308c812324028bbe22355ca92887c5f4a01a59f99a618f92d94b6acaf9c2
                                                              • Instruction ID: 91e819199a48f9979ee70a8758d56e98f09266c5e3322a99aa85d032a187cd83
                                                              • Opcode Fuzzy Hash: 40e2308c812324028bbe22355ca92887c5f4a01a59f99a618f92d94b6acaf9c2
                                                              • Instruction Fuzzy Hash: 22218171A046889FDF06CFA4D8519DEF7F9EF89301F5186B6E900A2661D6385E00CA64
                                                              Function 5000A0CC Relevance: 9.1, APIs: 6, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                              • @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                              • @System@@NewUnicodeString$qqri.RTL120(00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A137
                                                              • @System@Move$qqrpxvpvi.RTL120(00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A151
                                                              • @System@@LStrClr$qqrpv.RTL120(00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A158
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$Clr$qqrpvSystem@Unicode$AnsiFromMem$qqrrpviMove$qqrpxvpviReallocStr$qqrr20StringString$qqriStringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 459293572-0
                                                              • Opcode ID: 4cc0a279c1e311adab8d615449bc2667f6091f2205e3147081700d59042c7b26
                                                              • Instruction ID: abed3fd4436abaaa380d7623d8e1add1c8c2b5ba31a90049ac681112dc4d52f4
                                                              • Opcode Fuzzy Hash: 4cc0a279c1e311adab8d615449bc2667f6091f2205e3147081700d59042c7b26
                                                              • Instruction Fuzzy Hash: 6A11E5327035704FBB049B6D9865799B3EAAFE6511BE48276E104CF31AEA70CC018381
                                                              Function 5002E44C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 5002E45A
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5002E4EB), ref: 5002E487
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@DynArraySetLength$qqrv.RTL120(?,00000000,5002E4EB), ref: 5002E4A5
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 5002E4C7
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5002E4D0
                                                              • @System@@LStrClr$qqrpv.RTL120(5002E4F2), ref: 5002E4E5
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$AnsiFromStr$qqrr27StringStringusSystem@%T$us$i0$%x20Unicode$Internal$ArrayClr$qqrpvLength$qqrvMove$qqrpxvpviRef$qqrpv
                                                              • String ID:
                                                              • API String ID: 1261208877-0
                                                              • Opcode ID: 4549fb7da4154c2efe271ba38f2e99dccb4cd4c1b1852a6d14b1631e81dae761
                                                              • Instruction ID: 3c343618ad32febf82e58c60c3e9db0a7bab7a8f9f77b7682e2089b40a4c880e
                                                              • Opcode Fuzzy Hash: 4549fb7da4154c2efe271ba38f2e99dccb4cd4c1b1852a6d14b1631e81dae761
                                                              • Instruction Fuzzy Hash: 53119E30702186EFEB14EFB8ED619AEB3F9EB48200BA04276E505D3651E674EE41C695
                                                              Function 5001C64C Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(00000000,5001C6EA), ref: 5001C675
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                • Part of subcall function 5001C3F4: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                                • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                                • Part of subcall function 5001C3F4: @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C6EA), ref: 5001C699
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @Sysutils@IsDelimiter$qqrx20System@UnicodeStringt1i.RTL120(00000000,5001C6EA), ref: 5001C6BA
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C6EA), ref: 5001C6CF
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Sysutils@$Delimiter$qqrx20$Char$qqrx20Copy$qqrx20LastScan$qqrpxbbStringiiStringt1Stringt1i
                                                              • String ID:
                                                              • API String ID: 3602360137-0
                                                              • Opcode ID: b7ecdf829e09be1f06fca1847c704ca9ba1f4837353794b0604a6312a969fd8d
                                                              • Instruction ID: b57de0521b8727ab11f2a8e42c2c38b0e85b4303b6796bbee391bef3ecd85a0b
                                                              • Opcode Fuzzy Hash: b7ecdf829e09be1f06fca1847c704ca9ba1f4837353794b0604a6312a969fd8d
                                                              • Instruction Fuzzy Hash: 8E11A534611188EFDF04DFE8DD52DAD73F8EF99214B6056A6E400D3251DB74DE81D650
                                                              Function 50031D7C Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@@VarToWStr$qqrr17System@WideStringrx8TVarData.RTL120(00000000,50031E1F,?,?,00000000,00000000,00000000,?,50032154,00000000,50032395,?,?,?,?), ref: 50031D9B
                                                              • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(?,?,00000000,00000000,00000000,?,50032154,00000000,50032395,?,?,?,?), ref: 50031DD2
                                                              • @Sysutils@TryStrToInt$qqrx20System@UnicodeStringri.RTL120(?,?,00000000,00000000,00000000,?,50032154,00000000,50032395,?,?,?,?), ref: 50031DDD
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,00000000,00000000,00000000,?,50032154,00000000,50032395,?,?,?,?), ref: 50031DFC
                                                              • @System@@WStrClr$qqrpv.RTL120(50031E26,00000000,00000000,?,50032154,00000000,50032395,?,?,?,?), ref: 50031E19
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@UnicodeWide$Check$qqrlususClr$qqrpvDataFromInt$qqrx20ResultStr$qqrr17Str$qqrr20StringStringriStringrx8Stringx17Sysutils@Variants@Variants@@
                                                              • String ID:
                                                              • API String ID: 3685914871-0
                                                              • Opcode ID: d86abba2b115910677163bcbe7cf94a3ee4c156bb713ce9b9e41b6afc9816b93
                                                              • Instruction ID: 64fc0b1b1b3668be5dc9410c538a2e56c50a2d38b04d724a0a77f611fab89794
                                                              • Opcode Fuzzy Hash: d86abba2b115910677163bcbe7cf94a3ee4c156bb713ce9b9e41b6afc9816b93
                                                              • Instruction Fuzzy Hash: BD118634600188AFDB12DFA5DC52BCD73F9EB4D700FA04672FA00D7255D771AE098690
                                                              Function 5003533C Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 50035362
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,00000000,500353FB,?,?,?), ref: 50035393
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,?,?,00000000,500353FB,?,?,?), ref: 500353A2
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000000,500353FB,?,?,?), ref: 500353B4
                                                                • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,?,?,00000000,500353FB,?,?,?), ref: 500353BE
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(500353E0,00000000,500353FB,?,?,?), ref: 500353D3
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$From$String$AnsiCharChar$qqrr20Check$qqrlususClear$qqrr8Copy$qqrx20DataInitInternalLen$qqrr20ResultStr$qqrr17Str$qqrr20StringiiStringpbStringpbiStringx20Stringx27System@%T$us$i0$%VariantVariants@Variants@@Wide
                                                              • String ID:
                                                              • API String ID: 586056455-0
                                                              • Opcode ID: 91408789b8d8c02b34803f633b3ddfc0a8d103675c021eaf5b909a9d9fe4e244
                                                              • Instruction ID: 6b062a9980747ec9e3f71d883036385996f80c363af4a58439cc275360a37b00
                                                              • Opcode Fuzzy Hash: 91408789b8d8c02b34803f633b3ddfc0a8d103675c021eaf5b909a9d9fe4e244
                                                              • Instruction Fuzzy Hash: BB11E070A00689AFDB11CBA8DC62AEF77BCEB49310F510632F600E3690D630990086A4
                                                              Function 5002D8E4 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@TEncoding@GetByteCount$qqrx20System@UnicodeString.RTL120(00000000,5002D979), ref: 5002D90D
                                                                • Part of subcall function 5002D5A8: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002D61B), ref: 5002D5E1
                                                                • Part of subcall function 5002D5A8: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002D61B), ref: 5002D5F4
                                                              • @System@@DynArraySetLength$qqrv.RTL120(00000000,00000000,5002D979), ref: 5002D922
                                                                • Part of subcall function 5000C0F4: @System@DynArraySetLength$qqrrpvpvipi.RTL120 ref: 5000C0F9
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5002D942
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @Sysutils@TEncoding@GetBytes$qqrx20System@UnicodeStringiir25System@%DynamicArray$tuc%i.RTL120(00000000,?,?), ref: 5002D95E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$System@%$AnsiFromStr$qqrr20Stringx27T$us$i0$%$ArrayEncoding@InternalSysutils@$Array$tuc%iByteBytes$qqrx20Char$qqrx20Count$qqrx20DynamicLength$qqrrpvpvipiLength$qqrvStringiir25
                                                              • String ID:
                                                              • API String ID: 3882313379-0
                                                              • Opcode ID: 5b6da02c156a95da7720609a9d09f4bca19e112c761973def9f4e2993511ee2f
                                                              • Instruction ID: dc75beec895b85c51d3ff593ca8a9eb71013acc5c9df5cc455d5a5b56faa4565
                                                              • Opcode Fuzzy Hash: 5b6da02c156a95da7720609a9d09f4bca19e112c761973def9f4e2993511ee2f
                                                              • Instruction Fuzzy Hash: C311AD70701589AFEB00CBA9ED52A6AB7FDDF89700FA0427AF904D3251D671EE42D690
                                                              Function 5000A9E0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000AA77), ref: 5000AA22
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000AA77), ref: 5000AA46
                                                              • @System@@WriteLString$qqrr15System@TTextRecx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,5000AA77), ref: 5000AA52
                                                              • @System@@LStrClr$qqrpv.RTL120(5000AA7E), ref: 5000AA69
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@System@%$FromUnicode$Str$qqrr20Stringx27T$us$i0$%$Clr$qqrpvInternalRecx27Str$qqrr27String$qqrr15StringusT$us$i0$%iT$us$i0$%x20TextWrite
                                                              • String ID:
                                                              • API String ID: 1770171856-0
                                                              • Opcode ID: f3822a6ceb7ea1d4ed5306455a56ddfc370fb437e991b2596a5427501aefc0ed
                                                              • Instruction ID: b5ddcc7ba318723b074cea580f7c3f422d4a35a63fcd16844832d78ca229e7f9
                                                              • Opcode Fuzzy Hash: f3822a6ceb7ea1d4ed5306455a56ddfc370fb437e991b2596a5427501aefc0ed
                                                              • Instruction Fuzzy Hash: 22117030B052889FEB10CFB8D9A159EB7F9EF49200FA046B6E504D3291EB30DF01D681
                                                              Function 50026D6C Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026E08), ref: 50026D9A
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50026E08), ref: 50026DA9
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000002,?,00000000,50026E08), ref: 50026DD4
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000002,?,00000000,50026E08), ref: 50026DE3
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringUnicode$LoadString$qqrp20$Asg$qqrr20Exception@$bctr$qqrx20RecxiStringpx14Stringx20System@@Sysutils@
                                                              • String ID:
                                                              • API String ID: 619835585-0
                                                              • Opcode ID: 769a27d334da4fa175056a5810ce234115566d59187558c35d95f8a1f00c0ffa
                                                              • Instruction ID: a7982feb311dfa74fab4dc917654063223abea63f5cd1ec45e59986a5486330b
                                                              • Opcode Fuzzy Hash: 769a27d334da4fa175056a5810ce234115566d59187558c35d95f8a1f00c0ffa
                                                              • Instruction Fuzzy Hash: DD114C309056899FDB10CFA9DC919DEB7F8EB58200F90456AE900A3251E7B49E05CBA1
                                                              Function 50021A30 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021ACE), ref: 50021A70
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021ACE), ref: 50021A92
                                                              • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1rx24Sysutils@TFormatSettings.RTL120(?,00000000,00000000,50021ACE), ref: 50021AA4
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021ACE), ref: 50021AB3
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$FromStringSysutils@$AnsiFloatStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20FormatInternalLen$qqrr20SettingsStringpbiTextValuet1rx24
                                                              • String ID:
                                                              • API String ID: 450212489-0
                                                              • Opcode ID: a3dcc1f81dabbd884260d5728da179efc1f7e6ee7e262f411babcf95e230f245
                                                              • Instruction ID: 6c94864ea6d5d124ea52cca348c6ec8d64ebc88412d021a3ebff09329b69cbe3
                                                              • Opcode Fuzzy Hash: a3dcc1f81dabbd884260d5728da179efc1f7e6ee7e262f411babcf95e230f245
                                                              • Instruction Fuzzy Hash: B111523060228AAFEF11DBA8ED5299EB7F9DF54200F544662F505D7251EB70DF40C691
                                                              Function 50021B88 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021C26), ref: 50021BC8
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021C26), ref: 50021BEA
                                                              • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1rx24Sysutils@TFormatSettings.RTL120(?,00000000,00000000,50021C26), ref: 50021BFC
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021C26), ref: 50021C0B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$FromStringSysutils@$AnsiFloatStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20FormatInternalLen$qqrr20SettingsStringpbiTextValuet1rx24
                                                              • String ID:
                                                              • API String ID: 450212489-0
                                                              • Opcode ID: 506c4d0157f470223a45ebc515c374535dd304c8f2841ec6c2185e66518a86b7
                                                              • Instruction ID: be0ce3d10ad342f317ac9f6b3525fc43e20e2d4a1a282cb9314027698d09642a
                                                              • Opcode Fuzzy Hash: 506c4d0157f470223a45ebc515c374535dd304c8f2841ec6c2185e66518a86b7
                                                              • Instruction Fuzzy Hash: 8B11827460128A9FDF11DBA8ED518DEB3F9EF54200F644AA2E900D3651EB709F40C6D0
                                                              Function 5002F438 Relevance: 9.1, APIs: 6, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002F450
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F46F
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002F4C9), ref: 5002F486
                                                              • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002F4C9), ref: 5002F49A
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F4A6
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$String$System@@Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Exception@$bctr$qqrx20Format$qqrx20LoadMetaRecxiString$qqrp20Stringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 719264781-0
                                                              • Opcode ID: 82279774022d7fecd5dde7ff4b3fe3bf96aa76689d9b5b35dc22427500a0355b
                                                              • Instruction ID: a2645b7ded7df6c6dd4538b9128dd2fe1d0b1c7c9240a696d069f83c6a480ba7
                                                              • Opcode Fuzzy Hash: 82279774022d7fecd5dde7ff4b3fe3bf96aa76689d9b5b35dc22427500a0355b
                                                              • Instruction Fuzzy Hash: 1D117030901649AFDB10DFE9D8926AEBBB9EF99250F91427AE40493281DB749E008A91
                                                              Function 50021988 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021A22), ref: 500219C5
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021A22), ref: 500219E7
                                                              • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1.RTL120(00000000,00000000,50021A22), ref: 500219F8
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021A22), ref: 50021A07
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$FromString$AnsiFloatStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20InternalLen$qqrr20StringpbiTextValuet1
                                                              • String ID:
                                                              • API String ID: 220105677-0
                                                              • Opcode ID: 006bfad56634e30e1ede2951a2f55d569cdaa5b11a793d97a35f32b4fbe24263
                                                              • Instruction ID: 036d74904adcca26afda292c117eb6ff0a0a240ba8c665c9ccc47f17789f53e3
                                                              • Opcode Fuzzy Hash: 006bfad56634e30e1ede2951a2f55d569cdaa5b11a793d97a35f32b4fbe24263
                                                              • Instruction Fuzzy Hash: 9D115E3061128A9BDF11DBA4E9629DEB7F9EF58200F944672E505D7651EB30EF40CA80
                                                              Function 50021AE0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021B7A), ref: 50021B1D
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021B7A), ref: 50021B3F
                                                              • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1.RTL120(00000000,00000000,50021B7A), ref: 50021B50
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021B7A), ref: 50021B5F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$FromString$AnsiFloatStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20InternalLen$qqrr20StringpbiTextValuet1
                                                              • String ID:
                                                              • API String ID: 220105677-0
                                                              • Opcode ID: 10de996a424494fadf64891ef00ac74fcb95426f62f90a68df844ebbb861240a
                                                              • Instruction ID: 22b3bb944ed5e654b16ecdf05b6840fd4d7b345ebaa55648a236dabb6c7033cf
                                                              • Opcode Fuzzy Hash: 10de996a424494fadf64891ef00ac74fcb95426f62f90a68df844ebbb861240a
                                                              • Instruction Fuzzy Hash: A7115E3060128A9FDF12DFA4ED5299EB7F9EB64200F9446A2E505D7252EB309F448690
                                                              Function 50027254 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@TObject@Free$qqrv.RTL120(?,?,5002EA37,00000000,5002EB85), ref: 5002728E
                                                              • @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D0
                                                              • @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D9
                                                              • @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(5002EA37,00000000,5002EB85), ref: 500272E4
                                                              • @System@ExceptAddr$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272ED
                                                              • @System@ExceptObject$qqrv.RTL120(00000000,5002EA37,00000000,5002EB85), ref: 500272F3
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Except$Object$qqrv$Addr$qqrvClassClass$qqrp14Free$qqrvMetaObject@Objectp17System@@
                                                              • String ID:
                                                              • API String ID: 3884317974-0
                                                              • Opcode ID: 67d9d523dcd6260564ebb45294177d8fdd426f7379c81a39e08137fce02da52f
                                                              • Instruction ID: e6ed14f667667660170ac11691c6c759c670658a77a7e2590363da686ae2756a
                                                              • Opcode Fuzzy Hash: 67d9d523dcd6260564ebb45294177d8fdd426f7379c81a39e08137fce02da52f
                                                              • Instruction Fuzzy Hash: DF112870606A81CFF365CF7AED42661B7F1EFAD314B418169E408CB635DA30D881CB60
                                                              Function 50030760 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,500307EF), ref: 5003078A
                                                                • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                                • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                                • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                              • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,500307EF), ref: 5003079E
                                                                • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391FF
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000001,?,00000000,500307EF), ref: 500307BB
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000001,?,00000000,500307EF), ref: 500307CA
                                                                • Part of subcall function 500265E8: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                                • Part of subcall function 500265E8: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                                • Part of subcall function 500265E8: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500307EF), ref: 500307CF
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$StringStringx20$Asg$qqrr20$Cat3$qqrr20LoadRaiseRecxiStringpx14Stringt2Sysutils@Text$qqrxusTypeVariants@$CharClassClassoCreate$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFormat$qqrx20FromInstance$qqruiLen$qqrr20List$qqrvMetaResourceString$qqrp20Stringpbi
                                                              • String ID:
                                                              • API String ID: 2913030950-0
                                                              • Opcode ID: 6f4298eec964639a3ff7582bf64e84ce53078f507fa9f13c27cd35f1816d1073
                                                              • Instruction ID: 52d32d863b0f2654399b17d17a4284c2ace4cc9aa2092407aa442c0c846a789d
                                                              • Opcode Fuzzy Hash: 6f4298eec964639a3ff7582bf64e84ce53078f507fa9f13c27cd35f1816d1073
                                                              • Instruction Fuzzy Hash: 8C117C74D0524A8FDB05CFA8ECA19EFB7B9EB48300F50856AE904E3341D7745A01CAE1
                                                              Function 500308A4 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030933), ref: 500308CE
                                                                • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                                • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                                • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                              • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030933), ref: 500308E2
                                                                • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391FF
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000001,?,00000000,50030933), ref: 500308FF
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000001,?,00000000,50030933), ref: 5003090E
                                                                • Part of subcall function 500265E8: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                                • Part of subcall function 500265E8: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                                • Part of subcall function 500265E8: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50030933), ref: 50030913
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$StringStringx20$Asg$qqrr20$Cat3$qqrr20LoadRaiseRecxiStringpx14Stringt2Sysutils@Text$qqrxusTypeVariants@$CharClassClassoCreate$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFormat$qqrx20FromInstance$qqruiLen$qqrr20List$qqrvMetaResourceString$qqrp20Stringpbi
                                                              • String ID:
                                                              • API String ID: 2913030950-0
                                                              • Opcode ID: 9e4588ab5fbf3776320f84b4910e65cdf9adfca07252c9cacba831bf2d20f2b7
                                                              • Instruction ID: b206631945bac027483975cbfdcde3309e2ada628b630dd74d92ef405ac4078d
                                                              • Opcode Fuzzy Hash: 9e4588ab5fbf3776320f84b4910e65cdf9adfca07252c9cacba831bf2d20f2b7
                                                              • Instruction Fuzzy Hash: EC113074D0564A9FEB05CFA8EC519EEB7B5EF58300F50456AE904E3341D7745A01CAE1
                                                              Function 50002594 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000), ref: 5000264B
                                                              • Sleep.KERNEL32(0000000A,00000000), ref: 50002661
                                                              • Sleep.KERNEL32(00000000), ref: 5000268F
                                                              • Sleep.KERNEL32(0000000A,00000000), ref: 500026A5
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 909da8435180447502b99cd17005e77f61d8cca13c779df2b902078bd9ee526c
                                                              • Instruction ID: 5e3a079f800866a7a99d18f5d12456752269fdda2f1ebf4bbfd7b8be750778e6
                                                              • Opcode Fuzzy Hash: 909da8435180447502b99cd17005e77f61d8cca13c779df2b902078bd9ee526c
                                                              • Instruction Fuzzy Hash: 2DC16876605A908FF725CF68EDA0355BBE0EB91310F98C36ED9188B3D5C770A844CB82
                                                              Function 50010530 Relevance: 9.0, APIs: 6, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsHighSurrogate$qqrb.RTL120 ref: 50010538
                                                              • @System@@RaiseExcept$qqrv.RTL120 ref: 50010553
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120 ref: 5001054E
                                                                • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                              • @Character@TCharacter@IsLowSurrogate$qqrb.RTL120 ref: 5001055A
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120 ref: 50010570
                                                              • @System@@RaiseExcept$qqrv.RTL120 ref: 50010575
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$Character@$RaiseString$Except$qqrvException@$bctr$qqrp20Surrogate$qqrbSysutils@$AfterClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucHighList$qqrvLoadMetaObjectString$qqrp20
                                                              • String ID:
                                                              • API String ID: 2248103522-0
                                                              • Opcode ID: 573852c680a080bc0a97d15b87a50ebf7b650f53a3d381ad41dee1fe05933011
                                                              • Instruction ID: d6cb0d2706df4e8aacf07fe5ab19d242fe700b88596e7abf658fbf432eafdb11
                                                              • Opcode Fuzzy Hash: 573852c680a080bc0a97d15b87a50ebf7b650f53a3d381ad41dee1fe05933011
                                                              • Instruction Fuzzy Hash: F5F0EC312014D107F7149BE8FD966A527E2DF542847008227FCC4C7313C55DCC459790
                                                              Function 5002D28C Relevance: 9.0, APIs: 6, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D299
                                                              • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2AB
                                                              • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2BD
                                                              • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2CF
                                                              • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2E1
                                                              • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2F3
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Free$qqrvObject@System@
                                                              • String ID:
                                                              • API String ID: 1799115918-0
                                                              • Opcode ID: 57d29681f9056ac9329a7d325797a05bd985a2fc8562293051953311b1bf6d3d
                                                              • Instruction ID: 768d9f2a40722debd25e9cdb4e8e1545f006035ae00f2926f4075c138192a15b
                                                              • Opcode Fuzzy Hash: 57d29681f9056ac9329a7d325797a05bd985a2fc8562293051953311b1bf6d3d
                                                              • Instruction Fuzzy Hash: F7F0B2B46059444FF714DBBBAC9147576F7EFE8360385C519D0548B125DF36D441DB40
                                                              Function 500146D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Math@LnXP1$qqrxg.RTL120(?,?,?), ref: 50014737
                                                              • @System@Ln$qqrxg.RTL120 ref: 500147D3
                                                              • @System@Exp$qqrxg.RTL120 ref: 50014826
                                                              • @System@Exp$qqrxg.RTL120(?,?,?), ref: 50014760
                                                                • Part of subcall function 500123E4: @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(?,500145C0), ref: 500123F0
                                                                • Part of subcall function 500123E4: @System@@RaiseExcept$qqrv.RTL120(?,500145C0), ref: 500123F5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Exp$qqrxg$Except$qqrvException@$bctr$qqrx20Ln$qqrxgMath@P1$qqrxgRaiseStringSystem@@Sysutils@Unicode
                                                              • String ID: InternalRateOfReturn
                                                              • API String ID: 309294142-2879142521
                                                              • Opcode ID: 40dbb84fc3f4aabbfd560051f9dc9f7ee145eef59bad3b00fae40bf970de2026
                                                              • Instruction ID: b61e661a85086c600ac26f88c2d9d293700b97cdbe0b4422f277c6d0116d9991
                                                              • Opcode Fuzzy Hash: 40dbb84fc3f4aabbfd560051f9dc9f7ee145eef59bad3b00fae40bf970de2026
                                                              • Instruction Fuzzy Hash: 69410960E091DA66CF516FF5DC504EEBFB4FF06900F104B5BE8E4A3162DA3289A0CB80
                                                              Function 50023964 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@StrCharLength$qqrpxb.RTL120(?), ref: 500239DB
                                                              • @Sysutils@StrNextChar$qqrpxb.RTL120 ref: 500239F5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sysutils@$CharChar$qqrpxbLength$qqrpxbNext
                                                              • String ID: H
                                                              • API String ID: 4247032953-2852464175
                                                              • Opcode ID: d4cd2c9e9290bb1fd43fec2215baa18dbef9c92e5702672488c2aa5db4bf2880
                                                              • Instruction ID: e4e35325c6f34d9b65b87c66d780d8f477e977d8e87dd0103a07f57f46b7daee
                                                              • Opcode Fuzzy Hash: d4cd2c9e9290bb1fd43fec2215baa18dbef9c92e5702672488c2aa5db4bf2880
                                                              • Instruction Fuzzy Hash: 0731A53091658A8BDB10DFA8E8557EEB7F4EF05310F144226E844A76A2D3749E84C7A6
                                                              Function 500069B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 500069D6
                                                              • RegQueryValueExW.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,50006A25,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 50006A09
                                                              • RegCloseKey.ADVAPI32(?,50006A2C,00000000,?,00000004,00000000,50006A25,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 50006A1F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                              • API String ID: 3677997916-4173385793
                                                              • Opcode ID: 9ee370e70f06ee6609448c8435f7d602838b41d496a2b7e5916629935dfd1a17
                                                              • Instruction ID: 68fb37e24ddefeba98026e83a54610ce6f8a69bb8d0a75ef775160f2897bda80
                                                              • Opcode Fuzzy Hash: 9ee370e70f06ee6609448c8435f7d602838b41d496a2b7e5916629935dfd1a17
                                                              • Instruction Fuzzy Hash: 5A01F579A50248BAF710DBE19C62FF977ECEB09720F504666FA04E3580E6349900CA55
                                                              Function 500117F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 500117F5
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50011807
                                                                • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                              • @Character@TCharacter@IsAscii$qqrb.RTL120 ref: 50011849
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$Ascii$qqrbFindInitialize$qqrvLatin1$qqrbLoadLock
                                                              • String ID: A$Z
                                                              • API String ID: 2801340237-4098844585
                                                              • Opcode ID: 3d7b16622b306a41cb389fb1ff8cb04a695359a54526d75529cb678f32deca9d
                                                              • Instruction ID: 8de0f1dd0d009ed91e586fc1ea9b6193379de2375c44f7f3be455893678d8cca
                                                              • Opcode Fuzzy Hash: 3d7b16622b306a41cb389fb1ff8cb04a695359a54526d75529cb678f32deca9d
                                                              • Instruction Fuzzy Hash: 5701D651B181910BE71C5A619C513E833D26794302B5C827EE856CB6E3DF38C5D5E220
                                                              Function 50010A54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 50010A59
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50010A6B
                                                                • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                              • @Character@TCharacter@IsAscii$qqrb.RTL120 ref: 50010AAD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$Ascii$qqrbFindInitialize$qqrvLatin1$qqrbLoadLock
                                                              • String ID: a$z
                                                              • API String ID: 2801340237-4151050625
                                                              • Opcode ID: 68cc252f88e33736421a10eeeaa1cb58d10f880ea185927b8fcd1914d9384458
                                                              • Instruction ID: 7fc53a10070eca12ef29afc55d4c6d512350c562e79b40b59943fefc8229aada
                                                              • Opcode Fuzzy Hash: 68cc252f88e33736421a10eeeaa1cb58d10f880ea185927b8fcd1914d9384458
                                                              • Instruction Fuzzy Hash: 3401F951B142D04BE7184B71AC512E937D2AB80302BC9417EF4C3CB697DBBD85D5E721
                                                              Function 5002483C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002485E
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 50024866
                                                              • @Sysutils@AnsiStrPos$qqrpbt1.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002486C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Char$qqrx20StringSystem@System@@Unicode$AnsiPos$qqrpbt1Sysutils@
                                                              • String ID: XlP$tlP
                                                              • API String ID: 1532255607-7086264
                                                              • Opcode ID: 991b3ea7feb4240ad0f450cbc532c132e9e449f5bec3a229383f214eb6be9b84
                                                              • Instruction ID: 41cbf7802f78e1180780a1aded232e557ab5269dbb48a6fdf072be4a9a689297
                                                              • Opcode Fuzzy Hash: 991b3ea7feb4240ad0f450cbc532c132e9e449f5bec3a229383f214eb6be9b84
                                                              • Instruction Fuzzy Hash: ABF0A7A27161D69BE7509B68FC80B6E77E8DB55264F510A36EA88C7201DA35DC00C751
                                                              Function 50003C30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxA.USER32(00000000,50001F08,50001EE8,00002010), ref: 50003C85
                                                                • Part of subcall function 50003BF0: OpenFileMappingA.KERNEL32(00000004,00000000,Local\FastMM_PID_????????), ref: 50003C00
                                                              • @System@SetMemoryManager$qqrrx23System@TMemoryManagerEx.RTL120 ref: 50003C65
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MemorySystem@$FileManagerManager$qqrrx23MappingMessageOpen
                                                              • String ID: <JP$jP
                                                              • API String ID: 3588758399-1976356052
                                                              • Opcode ID: 837f7ce824299e718ff31fc9975fec7b007778b051f42d7a6ff680c07298d06b
                                                              • Instruction ID: 26df9d579ac72b310c812ec49e7277c3074fc2727e4b984d6bdc51d0e5f759bc
                                                              • Opcode Fuzzy Hash: 837f7ce824299e718ff31fc9975fec7b007778b051f42d7a6ff680c07298d06b
                                                              • Instruction Fuzzy Hash: 9CF082282045C0DAF676D7B0AC75F8923EC5724240FC14B17E905F7152D761C840ABA2
                                                              Function 50003C94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 50003BF0: OpenFileMappingA.KERNEL32(00000004,00000000,Local\FastMM_PID_????????), ref: 50003C00
                                                              • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000004,Local\FastMM_PID_????????), ref: 50003CBE
                                                              • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000), ref: 50003CD6
                                                              • UnmapViewOfFile.KERNEL32(00000000,?,00000002,00000000,00000000,00000000), ref: 50003CE2
                                                              Strings
                                                              • Local\FastMM_PID_????????, xrefs: 50003CAF
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$MappingView$CreateOpenUnmap
                                                              • String ID: Local\FastMM_PID_????????
                                                              • API String ID: 2158777448-3568460072
                                                              • Opcode ID: 812e1af7b6a7b700a59ef8b948a59b648fbb4594b905c5d210d35c39233bdc6a
                                                              • Instruction ID: 9257d67356388e225cbde0ea26a55ef2e4a99ea564a19721fac7c5c684e59e6f
                                                              • Opcode Fuzzy Hash: 812e1af7b6a7b700a59ef8b948a59b648fbb4594b905c5d210d35c39233bdc6a
                                                              • Instruction Fuzzy Hash: 71F09BB064538075F6319BB06C63F8522A85721B54FA00723F720FF0D3D7F19440575A
                                                              Function 50003BF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 50003BBC: GetCurrentProcessId.KERNEL32(?,50003BF7,?,?,50003C61), ref: 50003BBD
                                                              • OpenFileMappingA.KERNEL32(00000004,00000000,Local\FastMM_PID_????????), ref: 50003C00
                                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,50003C61), ref: 50003C18
                                                              • UnmapViewOfFile.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000,?,?,50003C61), ref: 50003C20
                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,50003C61), ref: 50003C26
                                                              Strings
                                                              • Local\FastMM_PID_????????, xrefs: 50003BF7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$View$CloseCurrentHandleMappingOpenProcessUnmap
                                                              • String ID: Local\FastMM_PID_????????
                                                              • API String ID: 3303930959-3568460072
                                                              • Opcode ID: 7642a81f86c0cf429a4968a1d66b8e04bc81eebb4c9b12c163bbd6232915ee5e
                                                              • Instruction ID: de9adb8942b47b404bea560d384b89a0808252958130f6c2296cf7b79e4161ec
                                                              • Opcode Fuzzy Hash: 7642a81f86c0cf429a4968a1d66b8e04bc81eebb4c9b12c163bbd6232915ee5e
                                                              • Instruction Fuzzy Hash: ABE0ECA17823A136F53172F02CA3F8A954C4F25A55F940B637700BA1C2DAE49C0012D8
                                                              Function 50025D8C Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 50025D50: @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?), ref: 50025D6C
                                                                • Part of subcall function 50025D50: @System@LoadResString$qqrp20System@TResStringRec.RTL120 ref: 50025D7E
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025DD9
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025DFC
                                                                • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025E42
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025E65
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20Stringx20$FreeLoadLocaleMem$qqrpvMove$qqrpxvpviStr$qqriix20String$qqriString$qqrp20Sysutils@
                                                              • String ID:
                                                              • API String ID: 943917607-0
                                                              • Opcode ID: d9635f307f6dee683a94e50e8087e5007a6a068d91809b74f37d2b4e69d84ff6
                                                              • Instruction ID: da8087070b0f5265adf1fffc26e669f63a26a283c91abc2d06778dd38358d0ac
                                                              • Opcode Fuzzy Hash: d9635f307f6dee683a94e50e8087e5007a6a068d91809b74f37d2b4e69d84ff6
                                                              • Instruction Fuzzy Hash: 4D31C332A015496FDB04CA84E881AAF77AEEF88310FA14637F909E7251D635FD0187D8
                                                              Function 5000A2B4 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A2FE
                                                              • @System@@NewUnicodeString$qqri.RTL120 ref: 5000A30F
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,00000000), ref: 5000A357
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A365
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A37A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$Asg$qqrr20Clr$qqrpvLength$qqrr20Move$qqrpxvpviStringString$qqriStringiStringx20
                                                              • String ID:
                                                              • API String ID: 2014283384-0
                                                              • Opcode ID: b61eede90e767d8fde67cc97024370c853bfedd394de62c8fd1a2fb42fa9bf36
                                                              • Instruction ID: 3378d5cb028a156183957ae48023e964bc14677264a5555a71f0aa01a3d2e280
                                                              • Opcode Fuzzy Hash: b61eede90e767d8fde67cc97024370c853bfedd394de62c8fd1a2fb42fa9bf36
                                                              • Instruction Fuzzy Hash: 7921C1317061A28FF714EE18E570A5EB3E5EBD2300FA1873AE945C7111EB22ED418751
                                                              Function 50008D7C Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrSetLength$qqrv.RTL120 ref: 50008DC5
                                                              • @System@@NewAnsiString$qqrius.RTL120 ref: 50008DD4
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,00000000), ref: 50008E1A
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 50008E28
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120 ref: 50008E3D
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiAsg$qqrpvpxvClr$qqrpvLength$qqrvMove$qqrpxvpviString$qqriusSystem@
                                                              • String ID:
                                                              • API String ID: 3139303677-0
                                                              • Opcode ID: ab1dadf1f8bb6f253b1950cb49ad492068fbeb85a1bae5a0dea0bc8e953f108d
                                                              • Instruction ID: 8200d2bf4dcf9fe215388774a5c81f53f67553e226669b9bf43c0643cec0f83f
                                                              • Opcode Fuzzy Hash: ab1dadf1f8bb6f253b1950cb49ad492068fbeb85a1bae5a0dea0bc8e953f108d
                                                              • Instruction Fuzzy Hash: C2219E713092828BE714EE19E9B0A6AB3E6FFE0300FA14B6BDAC5C7251DB31DC518751
                                                              Function 500279E4 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 500279F6
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027ABC), ref: 50027A2F
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027ABC), ref: 50027A79
                                                              • @Sysutils@NextCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027ABC), ref: 50027A96
                                                              • @System@@LStrClr$qqrpv.RTL120(50027AC3), ref: 50027AB6
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@%$FromInternalStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$CharClr$qqrpvIndex$qqrx27NextRef$qqrpvSysutils@T$us$i0$%i
                                                              • String ID:
                                                              • API String ID: 3584664094-0
                                                              • Opcode ID: 829ff8f312fc26a680b5dcbd4d1ee6f714a82b71f8e0defcbae22146eaef4f83
                                                              • Instruction ID: 5ba0f4aa9d540899a6946def5b7f71f7a7c44f4c34a077cce08fafb771b80344
                                                              • Opcode Fuzzy Hash: 829ff8f312fc26a680b5dcbd4d1ee6f714a82b71f8e0defcbae22146eaef4f83
                                                              • Instruction Fuzzy Hash: 8921C430A06186EFEB11DFA4EA51ABDB7F5EBC4220F6002B5D448E7251D770AF41DB92
                                                              Function 5000A464 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                              • @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120(00000000,5000A525), ref: 5000A50A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FromSystem@System@@Unicode$AnsiCharLen$qqrr20Str$qqrr20StringStringx27System@%T$us$i0$%$InternalStringpbiStringpci
                                                              • String ID:
                                                              • API String ID: 1942119235-0
                                                              • Opcode ID: fadb6b95d5fb1038a6ee0d324fefe7ba47ecd192cbbc44abc22f50522fcb7868
                                                              • Instruction ID: ad8f59b466486c7b54756af4fb6304d0c882565156628c1f2bc0eb5e63542440
                                                              • Opcode Fuzzy Hash: fadb6b95d5fb1038a6ee0d324fefe7ba47ecd192cbbc44abc22f50522fcb7868
                                                              • Instruction Fuzzy Hash: 772108347025A4DFFB11DE64D9A55ADB3E5EBD6210BE04375E800C7305DBB4DE01D691
                                                              Function 50027ACC Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027B99,?,?,?,?), ref: 50027B18
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027B99,?,?,?,?), ref: 50027B52
                                                              • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,50027B99,?,?,?,?), ref: 50027B71
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$AnsiFromInternalStr$qqrr20StringStringx27System@%System@@T$us$i0$%$CharIndex$qqrx20NextStringiSysutils@
                                                              • String ID:
                                                              • API String ID: 112165042-0
                                                              • Opcode ID: 5ab0ca6b7efa682e0a8c0cf649096109340480c0a6d78f3667cd2438d1eb862a
                                                              • Instruction ID: 35ce13431533dfb919b24986911c6e13b21b563e3ea2f71161cf238d0aa8309e
                                                              • Opcode Fuzzy Hash: 5ab0ca6b7efa682e0a8c0cf649096109340480c0a6d78f3667cd2438d1eb862a
                                                              • Instruction Fuzzy Hash: BE21B631A0218AEFDF12DFA4EA417ADB7F5EF45310F6042A2D508A7151D3749E40DB90
                                                              Function 500270C0 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50027182), ref: 50027108
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,00000000,50027182), ref: 50027136
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,00000000,50027182), ref: 50027145
                                                              • @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(00000000,50027182), ref: 50027154
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Exception@$bctr$qqrx20StringSysutils@Unicode$ClassClass$qqrp14LoadMetaObjectp17RecxiString$qqrp20Stringpx14System@@
                                                              • String ID:
                                                              • API String ID: 3708808660-0
                                                              • Opcode ID: 114fbacdc6cb7fb3462a26799a0944743581bf824f00dcc18a41d0bfae1d8de9
                                                              • Instruction ID: 33e2ff48ece4c1c09eb1b0648f1bee825e15256ae891d4046b3df70333a380a6
                                                              • Opcode Fuzzy Hash: 114fbacdc6cb7fb3462a26799a0944743581bf824f00dcc18a41d0bfae1d8de9
                                                              • Instruction Fuzzy Hash: F72192346015469FDB10CFACED919ADB7F5FF49300F508666E508D73A5DA30AE04CB90
                                                              Function 500059EC Relevance: 7.6, APIs: 5, Instructions: 69fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@SetInOutRes$qqri.RTL120(?,?,?,50005AE5), ref: 50005A13
                                                              • CreateFileW.KERNEL32(00000000,C0000000,?,00000000,00000002,00000080,00000000), ref: 50005A88
                                                              • GetStdHandle.KERNEL32(000000F5), ref: 50005AA8
                                                              • GetLastError.KERNEL32(000000F5), ref: 50005ABC
                                                              • @System@SetInOutRes$qqri.RTL120(000000F5), ref: 50005AC1
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Res$qqriSystem@$CreateErrorFileHandleLast
                                                              • String ID:
                                                              • API String ID: 2961129769-0
                                                              • Opcode ID: d63abc15d01510dc30b575c880705f7218f0e4a71d622e56fee6778df18cb518
                                                              • Instruction ID: def1b6819490b2fa9b0a5e09cb0acd6702a6deccba95574e8a0b2e564d39748f
                                                              • Opcode Fuzzy Hash: d63abc15d01510dc30b575c880705f7218f0e4a71d622e56fee6778df18cb518
                                                              • Instruction Fuzzy Hash: B4113A61305281DAFB14DF58CCE079BA9959F87212FA4C356E5048F2E6E778CC40C397
                                                              Function 500284FC Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500285AC,?,?,?,?,5002872E,?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000), ref: 50028538
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500285AC,?,?,?,?,5002872E,?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000), ref: 5002856B
                                                              • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,500285AC,?,?,?,?,5002872E,?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000), ref: 50028586
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%$Internal$ByteStringiSysutils@Type$qqrx20
                                                              • String ID:
                                                              • API String ID: 2787194164-0
                                                              • Opcode ID: eec2c889b96c63f28c6d912a4f2a099ea762f16bceb9a5f7ed7734ac0c1a855f
                                                              • Instruction ID: f94e552c94311d6681ea6b9088efd7c55080737d05d2957480002ee94c899e9e
                                                              • Opcode Fuzzy Hash: eec2c889b96c63f28c6d912a4f2a099ea762f16bceb9a5f7ed7734ac0c1a855f
                                                              • Instruction Fuzzy Hash: 9C11BE38B03A96DBDF01DEB8EA825AEB3F9EF442407A086B5E500D3161E770EE01D750
                                                              Function 50015A28 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015AB9), ref: 50015A64
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,50015AB9), ref: 50015A7B
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,50015AB9), ref: 50015A93
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$AnsiFromStr$qqrr20StringStringx27System@%T$us$i0$%$InternalLength$qqrr20Move$qqrpxvpviStringi
                                                              • String ID:
                                                              • API String ID: 986796861-0
                                                              • Opcode ID: 10025f9b933ecd5712bc93f26f254c4d90db7b168fed868ef1a57108d806b3bb
                                                              • Instruction ID: 273e415b261a473a3476493ac361f3ac1f54f6cd7220035dc33fede40ddaa886
                                                              • Opcode Fuzzy Hash: 10025f9b933ecd5712bc93f26f254c4d90db7b168fed868ef1a57108d806b3bb
                                                              • Instruction Fuzzy Hash: F3110031740284DFEB04CBA9DDD29AAB3F9EF996007E4037AE904CB311EB70DE408691
                                                              Function 500095F4 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@WStrClr$qqrpv.RTL120(?,?,?), ref: 50009611
                                                                • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                              • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(?,?,?,?,?), ref: 5000964A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$CharClr$qqrpvFreeFromLen$qqrr17StringStringpbiSystem@Wide
                                                              • String ID:
                                                              • API String ID: 4035486651-0
                                                              • Opcode ID: 58788c31a9392e6549bcfa84bf31123cf4ff7a055d905c796c92d66516e9aead
                                                              • Instruction ID: f7e519a3914915a7ddd12a0a43312b4a76140a576ef5cdbbdeb6b3b112df9300
                                                              • Opcode Fuzzy Hash: 58788c31a9392e6549bcfa84bf31123cf4ff7a055d905c796c92d66516e9aead
                                                              • Instruction Fuzzy Hash: 9111CE31B0564957AB00DAA9D8E18CFB2DA9FA8210B944337BA04E3312DEB6DE4447D0
                                                              Function 50027888 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 50027895
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027920), ref: 500278C2
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027920), ref: 500278EE
                                                              • @Sysutils@ByteToCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027920), ref: 50027903
                                                              • @System@@LStrClr$qqrpv.RTL120(50027927), ref: 5002791A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Internal$ByteCharClr$qqrpvIndex$qqrx27Ref$qqrpvSysutils@T$us$i0$%i
                                                              • String ID:
                                                              • API String ID: 4214602929-0
                                                              • Opcode ID: 5a3c4d89908cf0cf4437ecb80cfc5886c6d8491ff44f0f31cfd21df03d7b4b82
                                                              • Instruction ID: c3c75d1b48e19cc3e1f6b6390753f07d084fbfb0e8c4f9dbf7f6214b8e7eb97a
                                                              • Opcode Fuzzy Hash: 5a3c4d89908cf0cf4437ecb80cfc5886c6d8491ff44f0f31cfd21df03d7b4b82
                                                              • Instruction Fuzzy Hash: D511A030B01286EFAB05DFB8EB5697DB3F9EB482007A04275E508D3655EB70EE40D750
                                                              Function 50027930 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500279C4,?,?,?,?,500279E1,50022AF3,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50027968
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500279C4,?,?,?,?,500279E1,50022AF3,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50027992
                                                              • @Sysutils@ByteToCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,500279C4,?,?,?,?,500279E1,50022AF3,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 500279A7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%$Internal$ByteCharIndex$qqrx20StringiSysutils@
                                                              • String ID:
                                                              • API String ID: 1663083771-0
                                                              • Opcode ID: 68e17aca844da68af2cac0459f8ec52d04a034524aca00c230a62bba0d0821d2
                                                              • Instruction ID: aa1a79b2077093aec0dc215978b6579e0673518319e3e08c2949f697f48abfbb
                                                              • Opcode Fuzzy Hash: 68e17aca844da68af2cac0459f8ec52d04a034524aca00c230a62bba0d0821d2
                                                              • Instruction Fuzzy Hash: EC112E30701286DFAF01CFAAEA42969B7F9EB88200BA042B6E508D3655E770EE40D650
                                                              Function 5000A164 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A1CE
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$Unicode$Clr$qqrpvLength$qqrr20Move$qqrpxvpviStringStringi$AnsiAsg$qqrr20FreeFromMem$qqrpvMem$qqrrpviReallocStr$qqrr20String$qqriStringx20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 87712638-0
                                                              • Opcode ID: b2517f3e29e0c2378a26b9be41a75c938c5ddf139d7f123da371e61d7ede2628
                                                              • Instruction ID: 79869a9546d8ae15c7d4563ffc226c392f69356ca43a144d6d3bba8582a221f3
                                                              • Opcode Fuzzy Hash: b2517f3e29e0c2378a26b9be41a75c938c5ddf139d7f123da371e61d7ede2628
                                                              • Instruction Fuzzy Hash: C901B5347435A14BFB18E649D471B6AB3F3AFD6210FE4C71AA6058B249DAB09C41C782
                                                              Function 5001C048 Relevance: 7.6, APIs: 5, Instructions: 54timefileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindNextFileW.KERNEL32(?,?), ref: 5001C059
                                                              • GetLastError.KERNEL32(?,?), ref: 5001C062
                                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 5001C078
                                                              • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 5001C087
                                                              • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001C0BD
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileTime$Array$qqrr20DateErrorFindFromLastLocalNextStringpbiSystem@System@@Unicode
                                                              • String ID:
                                                              • API String ID: 2911837428-0
                                                              • Opcode ID: d772afcc146df195d284147fd921b47fd2c998ab065165d502e497404e87112c
                                                              • Instruction ID: 5728537e3c39e6084da27139d89328dfbbaad40690f3e6d11adc8d77ec81f8e3
                                                              • Opcode Fuzzy Hash: d772afcc146df195d284147fd921b47fd2c998ab065165d502e497404e87112c
                                                              • Instruction Fuzzy Hash: D6115BB26041809FDB45DFA8D8C1C87B3ECAF8C21075586A2ED48DF24AE630D9508BA1
                                                              Function 5001A744 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A7D5), ref: 5001A780
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A7D5), ref: 5001A79F
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001A7D5), ref: 5001A7BA
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Copy$qqrx20EnsureInternalString$qqrr20Stringii
                                                              • String ID:
                                                              • API String ID: 983657741-0
                                                              • Opcode ID: 8f8e674ff806139dc7915cbd04f5f4ac68111c59e7e358a9f3dc38c30ea9b737
                                                              • Instruction ID: 6fc85c46829d5016a76dc39be3afba1c4c63ccbbd777daa4708c9c8809dd5562
                                                              • Opcode Fuzzy Hash: 8f8e674ff806139dc7915cbd04f5f4ac68111c59e7e358a9f3dc38c30ea9b737
                                                              • Instruction Fuzzy Hash: 89116534A04298EFDB11DFA8DD9199DB7F8EF4A210B6043B6E500D36D1E7749F80D681
                                                              Function 50007734 Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@TMonitor@CheckOwningThread$qqrv.RTL120 ref: 50007749
                                                                • Part of subcall function 50007234: GetCurrentThreadId.KERNEL32 ref: 50007238
                                                                • Part of subcall function 50007234: @System@Error$qqr20System@TRuntimeError.RTL120 ref: 50007243
                                                              • @System@TMonitor@QueueWaiter$qqrr30System@TMonitor@TWaitingThread.RTL120(00000000,500077CE), ref: 50007773
                                                              • @System@TMonitor@Exit$qqrv.RTL120(00000000,500077CE), ref: 50007781
                                                                • Part of subcall function 500074A4: @System@TMonitor@CheckOwningThread$qqrv.RTL120 ref: 500074AA
                                                                • Part of subcall function 500074A4: @System@TMonitor@GetEvent$qqrv.RTL120 ref: 500074D9
                                                              • @System@TMonitor@Enter$qqrui.RTL120(?), ref: 500077A2
                                                                • Part of subcall function 5000730C: @System@TMonitor@TryEnter$qqrv.RTL120 ref: 5000731C
                                                                • Part of subcall function 5000730C: GetTickCount.KERNEL32 ref: 50007343
                                                                • Part of subcall function 5000730C: GetTickCount.KERNEL32 ref: 50007355
                                                              • @System@TMonitor@RemoveWaiter$qqrr30System@TMonitor@TWaitingThread.RTL120(?), ref: 500077AC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Monitor@$Thread$CheckCountOwningThread$qqrvTickWaiter$qqrr30Waiting$CurrentEnter$qqruiEnter$qqrvErrorError$qqr20Event$qqrvExit$qqrvQueueRemoveRuntime
                                                              • String ID:
                                                              • API String ID: 3245137772-0
                                                              • Opcode ID: c8d6062a3806072e0c5270ae9d5596829130f44f1f64b0f71c9e445ccb500201
                                                              • Instruction ID: 9226aa66a553e5a02f3549cd2e7d24c02f66a86d0b6f512f8c85fedbd385ecc6
                                                              • Opcode Fuzzy Hash: c8d6062a3806072e0c5270ae9d5596829130f44f1f64b0f71c9e445ccb500201
                                                              • Instruction Fuzzy Hash: 19114F74E016849FEB00CFB8DE9445EBBF4EF4871075586A9E819E7352D778AD00CBA0
                                                              Function 500283D4 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002845F,?,?,00000001,?,?,5001D415,?,00000000,5001D4A4), ref: 50028410
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002845F,?,?,00000001,?,?,5001D415,?,00000000,5001D4A4), ref: 5002842B
                                                              • @Sysutils@StrCharLength$qqrpxb.RTL120(00000000,5002845F,?,?,00000001,?,?,5001D415,?,00000000,5001D4A4), ref: 50028439
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20InternalLength$qqrpxbSysutils@
                                                              • String ID:
                                                              • API String ID: 3042977434-0
                                                              • Opcode ID: 35d1e42feb42f13eecb656c74661683a5158f8c6915138d9e1fd8d021dc4de57
                                                              • Instruction ID: 36fcfea0c2849a8d324b642c74e4cb449ffd548fbf6f67616c7ea078cdc77676
                                                              • Opcode Fuzzy Hash: 35d1e42feb42f13eecb656c74661683a5158f8c6915138d9e1fd8d021dc4de57
                                                              • Instruction Fuzzy Hash: A201F935A031979FEB00EFA4EC42599B3FAEF843007958772E904A3625E7399E00D350
                                                              Function 5001A7E4 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A86A), ref: 5001A81D
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A86A), ref: 5001A837
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001A86A), ref: 5001A84F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$System@System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Copy$qqrx20EnsureInternalString$qqrr20Stringii
                                                              • String ID:
                                                              • API String ID: 983657741-0
                                                              • Opcode ID: 74344b50583a924356235f014e24c58766c9e58c312ed4462f199f85a523a2ea
                                                              • Instruction ID: 132a61221e42f68fe096f2f0703ce72c7c0d537a3ed7cef0da9aebb690a8ca7d
                                                              • Opcode Fuzzy Hash: 74344b50583a924356235f014e24c58766c9e58c312ed4462f199f85a523a2ea
                                                              • Instruction Fuzzy Hash: 6301B930A11399EFEB14DFA9DD529ADB3F8FF4A200BA04276E500D3111EB70DE41D691
                                                              Function 50015834 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500158BE), ref: 50015874
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500158BE), ref: 50015891
                                                              • @Sysutils@AnsiSameStr$qqrx20System@UnicodeStringt1.RTL120(?,00000000,500158BE), ref: 5001589C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$AnsiSystem@@$FromStr$qqrr20StringStringx27System@%T$us$i0$%$Copy$qqrx20InternalSameStr$qqrx20StringiiStringt1Sysutils@
                                                              • String ID:
                                                              • API String ID: 379066412-0
                                                              • Opcode ID: c9586697ffbc2b73cdd91dbbcbba96766bafe00c22bacf04bf09434da6c89794
                                                              • Instruction ID: 5f4c935dc7326f4b5ffd1e52cde991efdb19edfe8de5ec90e514678ba51a4583
                                                              • Opcode Fuzzy Hash: c9586697ffbc2b73cdd91dbbcbba96766bafe00c22bacf04bf09434da6c89794
                                                              • Instruction Fuzzy Hash: 15018030B00288EFEF01CFA8D99199EB7F9EF49300FA042B6E504E7245EB309E449651
                                                              Function 50034AFC Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 50034B1F
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,00000000,50034BA6,?,?,?), ref: 50034B50
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,?,?,00000000,50034BA6,?,?,?), ref: 50034B5C
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000000,50034BA6,?,?,?), ref: 50034B6E
                                                                • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(50034B90,00000000,50034BA6,?,?,?), ref: 50034B83
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$From$AnsiCharChar$qqrr20Check$qqrlususClear$qqrr8Copy$qqrx20DataInitInternalLen$qqrr20ResultStr$qqrr20StringStringiiStringpbStringpbiStringx27System@%T$us$i0$%VariantVariants@Variants@@
                                                              • String ID:
                                                              • API String ID: 3736319910-0
                                                              • Opcode ID: ebd834bf680c6baec22fe879fb1f0e6004b62349d4d0877ebd8845f9e908f8bb
                                                              • Instruction ID: dc333be834a63f94453bcacffb570c20eb218bb0109c4df2f1bcee80a57512a2
                                                              • Opcode Fuzzy Hash: ebd834bf680c6baec22fe879fb1f0e6004b62349d4d0877ebd8845f9e908f8bb
                                                              • Instruction Fuzzy Hash: 0C01D2705006886FDB12CBA4DC61FAFB3ECFB4A310F510672FA10E3690D630AD00C6A1
                                                              Function 5000D160 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D199
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1AD
                                                              • @System@UnicodeToUtf8$qqrpcuipbui.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1BC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20InternalUtf8$qqrpcuipbui
                                                              • String ID:
                                                              • API String ID: 3779820642-0
                                                              • Opcode ID: 92ff47a1b225b4d742312c647edfc1f9fd4c817f481cd0b4d27eeb15f79c464d
                                                              • Instruction ID: e04ebdc101fc4bf289a004674db906102c3d27fd8c3307898635fa4b721bd642
                                                              • Opcode Fuzzy Hash: 92ff47a1b225b4d742312c647edfc1f9fd4c817f481cd0b4d27eeb15f79c464d
                                                              • Instruction Fuzzy Hash: A1017534611A85BFBB11CFB9D9B199AB7F9EF492007D04677E504D3601EA30EE01D660
                                                              Function 5002B158 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@IntfClear$qqrr45System@%DelphiInterface$t17System@IInterface%.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B17B
                                                              • @System@TObject@GetInterface$qqrrx5_GUIDpv.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B189
                                                                • Part of subcall function 50006CB4: @System@TObject@GetInterfaceEntry$qqrrx5_GUID.RTL120(00000000,50006D38), ref: 50006CE0
                                                                • Part of subcall function 50006CB4: @System@@IntfClear$qqrr45System@%DelphiInterface$t17System@IInterface%.RTL120(50006D3F), ref: 50006D32
                                                              • @Sysutils@Supports$qqrx45System@%DelphiInterface$t17System@IInterface%rx5_GUIDpv.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B199
                                                              • @System@TObject@GetInterface$qqrrx5_GUIDpv.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B1A8
                                                              • @System@@IntfClear$qqrr45System@%DelphiInterface$t17System@IInterface%.RTL120(5002B1D6,?,?,?,00000000), ref: 5002B1C9
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$DelphiInterface$t17System@%$Clear$qqrr45Interface%IntfObject@System@@$Interface$qqrrx5_$Entry$qqrrx5_InterfaceInterface%rx5_Supports$qqrx45Sysutils@
                                                              • String ID:
                                                              • API String ID: 3577717398-0
                                                              • Opcode ID: e289cbe9458d8958e45cc763ccf8e6ca795d0cba2e6690692d1028c7d287d737
                                                              • Instruction ID: 3f1c98fecfe68b52bf16856e5ff3d398f0e3bde1a59a24ad800dfe1f19cdd018
                                                              • Opcode Fuzzy Hash: e289cbe9458d8958e45cc763ccf8e6ca795d0cba2e6690692d1028c7d287d737
                                                              • Instruction Fuzzy Hash: 6CF0F9303062855BEB04EBA5FC7295AB3DECF99358BD14276A900C3303DA60DC254690
                                                              Function 50008C34 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C72
                                                                • Part of subcall function 500087FC: @System@@NewAnsiString$qqrius.RTL120(?,?,500056AE,00000000), ref: 50008821
                                                                • Part of subcall function 500087FC: @System@Move$qqrpxvpvi.RTL120(00000000,?,500056AE,00000000), ref: 5000882D
                                                                • Part of subcall function 500087FC: @System@@FreeMem$qqrpv.RTL120(500056AE,00000000), ref: 5000884F
                                                              • @System@@LStrSetLength$qqrv.RTL120(?,?,?,500056AE,00000000), ref: 50008C5B
                                                                • Part of subcall function 5000925C: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 50009281
                                                                • Part of subcall function 5000925C: @System@@ReallocMem$qqrrpvi.RTL120(?,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 5000929E
                                                                • Part of subcall function 5000925C: @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092B7
                                                              • @System@Move$qqrpxvpvi.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C81
                                                              • @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C8E
                                                              • @System@@LStrSetLength$qqrv.RTL120(?,?,?,500056AE,00000000), ref: 50008C9C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$AnsiClr$qqrpvLength$qqrvMove$qqrpxvpvi$Asg$qqrpvpxvFreeFromMem$qqrpvMem$qqrrpviReallocStr$qqrr27StringString$qqriusStringusSystem@%T$us$i0$%x20Unicode
                                                              • String ID:
                                                              • API String ID: 2086941991-0
                                                              • Opcode ID: c11578e97b51d0ebb740e0e0c89a11e6e1b3a7aca5931f475eef3c08a106609f
                                                              • Instruction ID: 70c44d853572e2918cefb12b18bb5fbd04c90bfbcf4b79bc5922f659862d1e0c
                                                              • Opcode Fuzzy Hash: c11578e97b51d0ebb740e0e0c89a11e6e1b3a7aca5931f475eef3c08a106609f
                                                              • Instruction Fuzzy Hash: 9E01D4347020904BFB18D759D8B0A2DB3F2BFD5201BA4836EE284CB359DAB19C0187A2
                                                              Function 5002A914 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@SysErrorMessage$qqrui.RTL120(00000000,5002A99F,?,00000000), ref: 5002A940
                                                                • Part of subcall function 50025B28: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B47
                                                                • Part of subcall function 50025B28: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B69
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5002A99F,?,00000000), ref: 5002A962
                                                                • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,5002A99F,?,00000000), ref: 5002A978
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,5002A99F,?,00000000), ref: 5002A984
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@Sysutils@Unicode$Exception@$bctr$qqrp20Recxi$Asg$qqrr20CharClassClassoCreate$qqrp17ErrorExcept$qqrvFormatFormat$qqrx20FromLen$qqrr20LoadMessageMessage$qqruiMetaRaiseRecpx14String$qqrp20StringpbiStringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 1617757611-0
                                                              • Opcode ID: 34b26c9ffda536621193965357a84d2c17b85b6f44bcd05500fd26bb6e704703
                                                              • Instruction ID: 9c2c5285b6efc6558c6871cf73d9fb702bd57b1419b1abeba3fe6d9365420b74
                                                              • Opcode Fuzzy Hash: 34b26c9ffda536621193965357a84d2c17b85b6f44bcd05500fd26bb6e704703
                                                              • Instruction Fuzzy Hash: E201DB74A056869FD714CFA5FC809AEB7F9EB59300F51863AE900E3351DB309D40C7A1
                                                              Function 500282B4 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028338,?,?,00000001,?,?,50026115,00000000,50026237,?,?,?,?,00000000,00000000), ref: 500282F2
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50028338,?,?,00000001,?,?,50026115,00000000,50026237,?,?,?,?,00000000,00000000), ref: 5002830D
                                                              • @Sysutils@StrCharLength$qqrpxb.RTL120(00000000,50028338,?,?,00000001,?,?,50026115,00000000,50026237,?,?,?,?,00000000,00000000), ref: 5002831B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20InternalLength$qqrpxbSysutils@
                                                              • String ID:
                                                              • API String ID: 3042977434-0
                                                              • Opcode ID: 6379ca91532523d5bce16a0909a6e0df30a6d0f000e913d4fb421b896347fca2
                                                              • Instruction ID: 47000205c57155a74c5d18828630aa859fd0bb08eddc99539042e8fa57d804a7
                                                              • Opcode Fuzzy Hash: 6379ca91532523d5bce16a0909a6e0df30a6d0f000e913d4fb421b896347fca2
                                                              • Instruction Fuzzy Hash: 6101DF34A131C6EFEB00DBA8E91289DB3FAEF94600BA182B2E50093614E7349F00D390
                                                              Function 50028470 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120(00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 5002847E
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,500284EE,?,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284AE
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500284EE,?,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284C7
                                                              • @Sysutils@StrCharLength$qqrpxc.RTL120(00000000,500284EE,?,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284CF
                                                              • @System@@LStrClr$qqrpv.RTL120(500284F5,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284E8
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$CharChar$qqrx27Clr$qqrpvInternalLength$qqrpxcRef$qqrpvSysutils@T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 2156883435-0
                                                              • Opcode ID: a3c48d0067439e3e87823feac1d7b494006b287914f12001d4e96a8a66b71b4b
                                                              • Instruction ID: 715662b57516d9754a6f786f41bd808451b406471416e7d906745c201c20a256
                                                              • Opcode Fuzzy Hash: a3c48d0067439e3e87823feac1d7b494006b287914f12001d4e96a8a66b71b4b
                                                              • Instruction Fuzzy Hash: C801DF30A0618AEF9B10EFB1ED6286DB3F9FB4420079146B6E800D3251E738EE0097A0
                                                              Function 5001D8E0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 5001D8EE
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5001D956), ref: 5001D91B
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001D956), ref: 5001D92E
                                                              • @Sysutils@StrLCopy$qqrpcpxcui.RTL120(00000000,5001D956), ref: 5001D939
                                                              • @System@@LStrClr$qqrpv.RTL120(5001D95D), ref: 5001D950
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Char$qqrx27Clr$qqrpvCopy$qqrpcpxcuiInternalRef$qqrpvSysutils@T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 225901233-0
                                                              • Opcode ID: e797eab4a70677fbd8b65bf4ea9112dab01743d87ce20a58422a53b87a9f2b62
                                                              • Instruction ID: 6789688a35950e27e6b693cafdea5081acba6db0b001ad7a1da5a9f1fa3c46a1
                                                              • Opcode Fuzzy Hash: e797eab4a70677fbd8b65bf4ea9112dab01743d87ce20a58422a53b87a9f2b62
                                                              • Instruction Fuzzy Hash: 3E01A230700A85AFAB01DFB8EDA186EB3F9EB492407A04277E504D3254EB70DE42C790
                                                              Function 5002E0E4 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002E0F3
                                                              • GetCPInfo.KERNEL32(5002E1B0,?,00000000), ref: 5002E113
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002E1B0,?,00000000), ref: 5002E129
                                                              • @System@@RaiseExcept$qqrv.RTL120(5002E1B0,?,00000000), ref: 5002E12E
                                                              • @System@@AfterConstruction$qqrp14System@TObject.RTL120(5002E1B0,?,00000000), ref: 5002E146
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@$AfterClassClassoConstruction$qqrp14Create$qqrp17Except$qqrvException@$bctr$qqrp20InfoMetaObjectRaiseStringSysutils@
                                                              • String ID:
                                                              • API String ID: 2125405577-0
                                                              • Opcode ID: 75e8563de8be2d28d6ec57e3352ae8178458ce8a71039ebcc560a7693fac316e
                                                              • Instruction ID: e188588ab113c5b644c7c0773fcb92f3a1bc056ea3630c60d22f3d69e5b640df
                                                              • Opcode Fuzzy Hash: 75e8563de8be2d28d6ec57e3352ae8178458ce8a71039ebcc560a7693fac316e
                                                              • Instruction Fuzzy Hash: 3001A772A027C58FD720DFACED81996B7E8AF14660B00872AFD59C7741E631E91487E1
                                                              Function 50028348 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 50028356
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,500283C6), ref: 50028388
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500283C6), ref: 500283A1
                                                              • @Sysutils@StrCharLength$qqrpxc.RTL120(00000000,500283C6), ref: 500283A9
                                                              • @System@@LStrClr$qqrpv.RTL120(500283CD), ref: 500283C0
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$CharChar$qqrx27Clr$qqrpvInternalLength$qqrpxcRef$qqrpvSysutils@T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 2156883435-0
                                                              • Opcode ID: 61786a68f427a2116d5208153580c4d6983de50613a64baaa57ab0f0d3e4fb59
                                                              • Instruction ID: 1d01ce25d3aa61c431e68410e02d36fe869a463c4c523e8f2aa4dd5117b6b204
                                                              • Opcode Fuzzy Hash: 61786a68f427a2116d5208153580c4d6983de50613a64baaa57ab0f0d3e4fb59
                                                              • Instruction Fuzzy Hash: 82018F30A06185AFDB01DFB4E96296DB3E9EF44640B9106B7F440D3252E734AF009790
                                                              Function 5001D964 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001D9D8), ref: 5001D99D
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001D9D8), ref: 5001D9B0
                                                              • @Sysutils@StrLCopy$qqrpbpxbui.RTL120(00000000,5001D9D8), ref: 5001D9BB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Copy$qqrpbpxbuiInternalSysutils@
                                                              • String ID:
                                                              • API String ID: 1472205855-0
                                                              • Opcode ID: d2a7149999e3ca1ca5ee6a783244f8d1fcb7852485f042ca67bcb824e4d164b7
                                                              • Instruction ID: c11af60418324f05763cb7e6f29752fa05ca89a2dc4a7eae182604277afe3d4f
                                                              • Opcode Fuzzy Hash: d2a7149999e3ca1ca5ee6a783244f8d1fcb7852485f042ca67bcb824e4d164b7
                                                              • Instruction Fuzzy Hash: 05016231710E85AFAF01DFA9DD9285DB3F9EF8820079046B7E504D3611EB709E42D651
                                                              Function 500269DC Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500269ED
                                                              • @Sysutils@LoadStr$qqri.RTL120(?,00000000,50026A4E,?,?,?,?,00000000,00000000), ref: 50026A0F
                                                              • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026A4E,?,?,?,?,00000000,00000000), ref: 50026A1D
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026A4E,?,?,?,?,00000000,00000000), ref: 50026A28
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiStr$qqriStringStringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 2765079483-0
                                                              • Opcode ID: ce2d3a5686d0a63d1e0902a166e3335a6fa43bf775ea014feb5ef3839ae02889
                                                              • Instruction ID: 29fd1fbf12b5fecb8cf52ab6bc17093bc504a80d2aac76fc4f53b572846cc74c
                                                              • Opcode Fuzzy Hash: ce2d3a5686d0a63d1e0902a166e3335a6fa43bf775ea014feb5ef3839ae02889
                                                              • Instruction Fuzzy Hash: EA01A275600289ABD700CE94EC91E9EB7A9EF89720F918362F904A7740DB30EE01CAD1
                                                              Function 50026A78 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 50026A89
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,00000000,50026AEA,?,?,?,?,00000000,00000000), ref: 50026AAB
                                                              • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026AEA,?,?,?,?,00000000,00000000), ref: 50026AB9
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026AEA,?,?,?,?,00000000,00000000), ref: 50026AC4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiString$qqrp20Stringpx14Stringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 2968566035-0
                                                              • Opcode ID: 817dbf46161607a9b669e8961ae92c471a57c141c410dc2a02020cdf9f22e400
                                                              • Instruction ID: a4508fb9ca55fcdc9539e334686b33a01e34f88c829117d28a676305680eca9a
                                                              • Opcode Fuzzy Hash: 817dbf46161607a9b669e8961ae92c471a57c141c410dc2a02020cdf9f22e400
                                                              • Instruction Fuzzy Hash: 9001A235601689AFD700CF94EC51E9EB7A9EF89620F918272F904A7740DA31EE01CAE1
                                                              Function 5002671C Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002672D
                                                              • @Sysutils@LoadStr$qqri.RTL120(?,00000000,50026788,?,?,?,?,00000000,00000000), ref: 5002674F
                                                              • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026788,?,?,?,?,00000000,00000000), ref: 5002675D
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026788,?,?,?,?,00000000,00000000), ref: 50026768
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiStr$qqriStringStringpx14Stringx20
                                                              • String ID:
                                                              • API String ID: 2765079483-0
                                                              • Opcode ID: 82797bbb40d43ac66670649aa24e2307c392cdea19954696096313799db10cbd
                                                              • Instruction ID: beac2be98222c8cf5cd228bb1a13cdf081a6ca164530b3398e22c63253403a1c
                                                              • Opcode Fuzzy Hash: 82797bbb40d43ac66670649aa24e2307c392cdea19954696096313799db10cbd
                                                              • Instruction Fuzzy Hash: F0F0A4356052886BD700DA94EC92E9EB7ADEF99760F918362F90497340D635AE01C691
                                                              Function 500267B0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                              • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiString$qqrp20Stringpx14Stringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 2968566035-0
                                                              • Opcode ID: eb8dbeff97980f41212820df1590c374e9b04be7e90399179c1a7d1c7f44e779
                                                              • Instruction ID: 59d3e7adbb39bbbd23096f0306fd7bc4bc599d625c45f80d349e960b686eec1b
                                                              • Opcode Fuzzy Hash: eb8dbeff97980f41212820df1590c374e9b04be7e90399179c1a7d1c7f44e779
                                                              • Instruction Fuzzy Hash: 58F0A9356016886BE710DA94EC52E9EB7ADDF85710F914372F90497341DA35AE01C6D1
                                                              Function 50010598 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500105AC
                                                              • @System@TObject@ClassName$qqrv.RTL120(00000000,50010608), ref: 500105C6
                                                              • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,50010608), ref: 500105E8
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,50010608), ref: 500105ED
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$ClassSystem@@$ClassoCreate$qqrp17Except$qqrvException@$bctr$qqrp20MetaName$qqrvObject@RaiseRecpx14RecxiStringSysutils@
                                                              • String ID:
                                                              • API String ID: 2276446640-0
                                                              • Opcode ID: a47437a02414486e94db703e65b95041672a09583fc297ca935734f4a65545cb
                                                              • Instruction ID: 7635616e979078c9aaefdf8b0fdb21b021419f1ddeeb6f58034bbde12a420e8e
                                                              • Opcode Fuzzy Hash: a47437a02414486e94db703e65b95041672a09583fc297ca935734f4a65545cb
                                                              • Instruction Fuzzy Hash: 6D01F934D04688AFE714CFA4ECA19AEB7B8EB45310F8083A6F854D3380E7315A00CA91
                                                              Function 5002D210 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@DynArrayAddRef$qqrv.RTL120(?,?,00000000), ref: 5002D21E
                                                              • @Sysutils@TEncoding@GetChars$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,?,00000000,5002D27D,?,?,?,00000000), ref: 5002D241
                                                                • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002DC60
                                                                • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002DC65
                                                                • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DC88
                                                                • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DC8D
                                                                • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCB0
                                                                • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCB5
                                                                • Part of subcall function 5002DC38: @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002DCBC
                                                                • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCE1
                                                                • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCE6
                                                                • Part of subcall function 5002DC38: @Sysutils@TEncoding@GetCharCount$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,?,?), ref: 5002DCF3
                                                                • Part of subcall function 5002DC38: @System@@DynArraySetLength$qqrv.RTL120(?,?,?,?), ref: 5002DD0D
                                                              • @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%.RTL120(?,?,00000000,5002D27D,?,?,?,00000000), ref: 5002D24E
                                                                • Part of subcall function 5002D730: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%.RTL120(?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D73E
                                                                • Part of subcall function 5002D730: @System@@DynArraySetLength$qqrv.RTL120(00000000,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D753
                                                                • Part of subcall function 5002D730: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D75D
                                                                • Part of subcall function 5002D730: @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%iir25System@%DynamicArray$tuc%i.RTL120(00000000,?,00000000), ref: 5002D76C
                                                              • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D284,5002D27D,?,?,?,00000000), ref: 5002D269
                                                                • Part of subcall function 5000C214: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C23F
                                                                • Part of subcall function 5000C214: @System@@FreeMem$qqrpv.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C247
                                                              • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D284,5002D27D,?,?,?,00000000), ref: 5002D277
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$Sysutils@$ArraySystem@$DynamicSystem@%$Encoding@$Except$qqrvException@$bctr$qqrp20Length$qqrvRaiseString$Recpx14Recxi$Array$tb%Array$tuc%iiBytes$qqrx24Clear$qqrrpvpv$Array$qqrpvt1uiArray$tb%iir25Array$tuc%iByteCharChars$qqrx25Count$qqrx24Count$qqrx25FinalizeFreeMem$qqrpvRef$qqrv
                                                              • String ID:
                                                              • API String ID: 306697395-0
                                                              • Opcode ID: 70b8e1b795e1d37dd9de12cc76fc3247445453c6de169292efa2efb0df9a22ae
                                                              • Instruction ID: 5ec251f640e733fb77e8b4a269d7085e3b95d1142e22d4d9b3bdac147b7f947c
                                                              • Opcode Fuzzy Hash: 70b8e1b795e1d37dd9de12cc76fc3247445453c6de169292efa2efb0df9a22ae
                                                              • Instruction Fuzzy Hash: DB01AF74205649EFEB04CF94FC91C8E73E9EB5C710BA18266FD0493750D630EE06CAA0
                                                              Function 5000E884 Relevance: 7.5, APIs: 5, Instructions: 39libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(?,?), ref: 5000E8A8
                                                              • @System@@LStrFromPWChar$qqrr27System@%AnsiStringT$us$i0$%pbus.RTL120(00000000,5000E8E7,?,?,?,00000000), ref: 5000E8BB
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000E8E7,?,?,?,00000000), ref: 5000E8C3
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 5000E8CA
                                                              • @System@@LStrClr$qqrpv.RTL120(5000E8EE,?,?,00000000), ref: 5000E8E1
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AddressAnsiProcStringSystem@%$Char$qqrr27Char$qqrx27Clr$qqrpvFromT$us$i0$%T$us$i0$%pbus
                                                              • String ID:
                                                              • API String ID: 107858258-0
                                                              • Opcode ID: 3cf80b2481eac8ac2a36653dc93b19aa85d9f1d37a2655b46f373c6b8d52bf22
                                                              • Instruction ID: e43e5a50d2d678b4319a06595b8d852140739d2f680c724791b48c723902c0e4
                                                              • Opcode Fuzzy Hash: 3cf80b2481eac8ac2a36653dc93b19aa85d9f1d37a2655b46f373c6b8d52bf22
                                                              • Instruction Fuzzy Hash: 88F062306091C86FF701DE94DC61A5D73DCEB4D250FD18172F944A7241DA30AE0097A4
                                                              Function 5002C0CC Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002C0D9
                                                              • @System@TObject@$bctr$qqrv.RTL120 ref: 5002C0E8
                                                              • @Sysutils@TStringBuilder@set_Capacity$qqri.RTL120 ref: 5002C0F9
                                                              • @Sysutils@TStringBuilder@Append$qqrx20System@UnicodeString.RTL120 ref: 5002C107
                                                              • @System@@AfterConstruction$qqrp14System@TObject.RTL120 ref: 5002C112
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$String$System@@Sysutils@$AfterAppend$qqrx20Builder@Builder@set_Capacity$qqriClassClassoConstruction$qqrp14Create$qqrp17MetaObjectObject@$bctr$qqrvUnicode
                                                              • String ID:
                                                              • API String ID: 2859721611-0
                                                              • Opcode ID: 21f0d74a83fb4ff8832bd7025fe4923f79583aba0890a39072b30d0fc51a864e
                                                              • Instruction ID: 39a3893f9b0b29f08e61ee327ab757ae22a9345e4dc45241c438b3d4ad3786ae
                                                              • Opcode Fuzzy Hash: 21f0d74a83fb4ff8832bd7025fe4923f79583aba0890a39072b30d0fc51a864e
                                                              • Instruction Fuzzy Hash: 9CF0A773B02581579300D6AEBC81A6AB68B9BD5670B188332F52CC7386DB268C1246E5
                                                              Function 500243A4 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$StringSystem@System@@$EnsureString$qqrr20$AnsiFromInternalLen$qqrx20Str$qqrr20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 3020172278-0
                                                              • Opcode ID: 6cdf5f7169a857eab86092ba583cd5dfa0d9c452280a2cdb4edc37c4faf4d93b
                                                              • Instruction ID: 8a90345f6e56a0fa8899a303c97709957ae8c098f7633a4adecdb0ccf3c4c27c
                                                              • Opcode Fuzzy Hash: 6cdf5f7169a857eab86092ba583cd5dfa0d9c452280a2cdb4edc37c4faf4d93b
                                                              • Instruction Fuzzy Hash: 5DF0F031406289EFE755EFA4E8929ACB3F8EF183007A146B7E80093121E7702F00D692
                                                              Function 5002D19C Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@DynArrayAddRef$qqrv.RTL120(?,?,00000000), ref: 5002D1AA
                                                              • @Sysutils@TEncoding@GetChars$qqrx25System@%DynamicArray$tuc%.RTL120(00000000,5002D201,?,?,?,00000000), ref: 5002D1C5
                                                                • Part of subcall function 5002DC14: @System@@DynArrayLength$qqrv.RTL120(?,?,?,5002D1CA,00000000,5002D201,?,?,?,00000000), ref: 5002DC1F
                                                                • Part of subcall function 5002DC14: @Sysutils@TEncoding@GetChars$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,00000000,?,?,?,5002D1CA,00000000,5002D201,?,?,?,00000000), ref: 5002DC2C
                                                              • @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%.RTL120(00000000,5002D201,?,?,?,00000000), ref: 5002D1D2
                                                                • Part of subcall function 5002D730: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%.RTL120(?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D73E
                                                                • Part of subcall function 5002D730: @System@@DynArraySetLength$qqrv.RTL120(00000000,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D753
                                                                • Part of subcall function 5002D730: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D75D
                                                                • Part of subcall function 5002D730: @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%iir25System@%DynamicArray$tuc%i.RTL120(00000000,?,00000000), ref: 5002D76C
                                                              • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D208,?,?,00000000), ref: 5002D1ED
                                                                • Part of subcall function 5000C214: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C23F
                                                                • Part of subcall function 5000C214: @System@@FreeMem$qqrpv.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C247
                                                              • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D208,?,?,00000000), ref: 5002D1FB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$ArrayDynamicSystem@%$Encoding@Sysutils@$Length$qqrv$Array$tb%Bytes$qqrx24Chars$qqrx25Clear$qqrrpvpv$Array$qqrpvt1uiArray$tb%iir25Array$tuc%Array$tuc%iArray$tuc%iiByteCount$qqrx24FinalizeFreeMem$qqrpvRef$qqrv
                                                              • String ID:
                                                              • API String ID: 124126621-0
                                                              • Opcode ID: 9a55dd426d69212cea5294c82b78c0f17d40f7f65fb3b2c228ee3267651922e4
                                                              • Instruction ID: ea8ea964c1ccbf4185af528d9a84d920c2f529ad8815d3faa1f173e3987db8ef
                                                              • Opcode Fuzzy Hash: 9a55dd426d69212cea5294c82b78c0f17d40f7f65fb3b2c228ee3267651922e4
                                                              • Instruction Fuzzy Hash: DBF0C234205548EFDB04DF90FC91D4973A9EB58310BA18277FC0883711D630EE02C590
                                                              Function 5001B8F0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InitializeRecord$qqrpvt1.RTL120 ref: 5001B905
                                                                • Part of subcall function 5000AE00: @System@@InitializeArray$qqrpvt1ui.RTL120 ref: 5000AE24
                                                              • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B958), ref: 5001B920
                                                              • @System@EnumResourceModules$qqrpqqripv$opv.RTL120(00000000,5001B958), ref: 5001B92D
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B958), ref: 5001B937
                                                              • @System@@FinalizeRecord$qqrpvt1.RTL120(5001B95F), ref: 5001B952
                                                                • Part of subcall function 5000AED8: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,?,?,50006C67,?,?,50006BAA), ref: 5000AEFC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$Unicode$Array$qqrpvt1uiAsg$qqrr20FinalizeInitializeRecord$qqrpvt1StringStringx20$EnumModules$qqrpqqripv$opvResource
                                                              • String ID:
                                                              • API String ID: 2269274692-0
                                                              • Opcode ID: c6deeecd6d38e02dca0c240106d8acc9fad9f78a616a536245d8c20f9f784f3c
                                                              • Instruction ID: ba510fcea000b4b5886386029a871e670e821f6a008f22ad42f0b1393bee6191
                                                              • Opcode Fuzzy Hash: c6deeecd6d38e02dca0c240106d8acc9fad9f78a616a536245d8c20f9f784f3c
                                                              • Instruction Fuzzy Hash: 59F096315012889FEB11EBA8DD9289E77EDDBD9610B958773E50093611EB305E45C6D0
                                                              Function 50022CAC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@StrNextChar$qqrpxb.RTL120 ref: 50022D1F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Char$qqrpxbNextSysutils@
                                                              • String ID: H
                                                              • API String ID: 518225700-2852464175
                                                              • Opcode ID: 3881d23d7963acc15f078cbd6bcd5a4cef927f5d022d7b8b47876acc1e4f8649
                                                              • Instruction ID: 3ee87861289b317458a83a3163a221fe271f487816919179d3279f33b21b68a3
                                                              • Opcode Fuzzy Hash: 3881d23d7963acc15f078cbd6bcd5a4cef927f5d022d7b8b47876acc1e4f8649
                                                              • Instruction Fuzzy Hash: F231813091668A9BDF11DFE8E8447EEB7F4FF05320F504266E804A72A2D3785A45CBB5
                                                              Function 50003980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@FillChar$qqrpvib.RTL120 ref: 50003991
                                                              • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 50003A25
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Char$qqrpvibFillQuerySystem@@Virtual
                                                              • String ID: <JP$jP
                                                              • API String ID: 2244405464-1976356052
                                                              • Opcode ID: d4214674cb1b790d79c068eba0a754b99b72d6d1fa264546a80965101dd17e03
                                                              • Instruction ID: bcffa789d984cc2227a1b944b815eb85179e7a29a5b5a1ae78bfe4e670926a00
                                                              • Opcode Fuzzy Hash: d4214674cb1b790d79c068eba0a754b99b72d6d1fa264546a80965101dd17e03
                                                              • Instruction Fuzzy Hash: 7C21DA357045C18FF326C69C98E078A779AE7D5250FA48769E1C58B286D7B0DC41C793
                                                              Function 5000B95C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@_llumod$qqrv.RTL120(0000000A,00000000), ref: 5000B978
                                                              • @System@@_lludiv$qqrv.RTL120(0000000A,00000000), ref: 5000B993
                                                              • @System@@SetLength$qqrp28System@%SmallString$iuc$255%uc.RTL120 ref: 5000B9F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Length$qqrp28SmallString$iuc$255%ucSystem@%System@@System@@_lludiv$qqrvSystem@@_llumod$qqrv
                                                              • String ID: -
                                                              • API String ID: 1433924716-2547889144
                                                              • Opcode ID: fa2d9fa7220ae8a8b5e2127b09392bd41d7e1e4dd11ae780642dc36a45f227ea
                                                              • Instruction ID: bc71e0da4f25463f64f7145e0403e3090bf30eba9254fb7a0d98b2b38cbe9050
                                                              • Opcode Fuzzy Hash: fa2d9fa7220ae8a8b5e2127b09392bd41d7e1e4dd11ae780642dc36a45f227ea
                                                              • Instruction Fuzzy Hash: 07115E25B043C91AF711AE65D4E178E7BD1DF91310F60C236ED488B3B2D6718C45C740
                                                              Function 50011B70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 50011B75
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50011BAF
                                                              • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120 ref: 50011BE8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@$CategoryCheckInitialize$qqrvLatin1$qqrbSeparator$qqr26Unicode
                                                              • String ID:
                                                              • API String ID: 1352756909-3916222277
                                                              • Opcode ID: e44d450cd53f43e8828d2ed6ef07b86b89c0741405600dd179bd049eff3e502c
                                                              • Instruction ID: 5c27785dfc3468ab4fa8786a722348d709b28dd992ebe28e9874c880dfb8179b
                                                              • Opcode Fuzzy Hash: e44d450cd53f43e8828d2ed6ef07b86b89c0741405600dd179bd049eff3e502c
                                                              • Instruction Fuzzy Hash: D1F0C891F1D0A10BE7185A65EC903F463D2EB94302B8C427AE943CB2D2FB3988D5D320
                                                              Function 500110D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 500110D5
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 500110E7
                                                                • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                              • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120 ref: 50011120
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$CategoryCheckFindInitialize$qqrvLatin1$qqrbLoadLockSeparator$qqr26Unicode
                                                              • String ID:
                                                              • API String ID: 305751366-3916222277
                                                              • Opcode ID: ee0eee03fca6bd072fe399242877850c852a16c1db9b3c22b6777e204e8b1ebd
                                                              • Instruction ID: 4cfc787b75a84d5a1d5c986ac9783fa5e206bb40ce50e3d6909b12ff5fbc43b5
                                                              • Opcode Fuzzy Hash: ee0eee03fca6bd072fe399242877850c852a16c1db9b3c22b6777e204e8b1ebd
                                                              • Instruction Fuzzy Hash: E2F0E991B254A14BE3184761EC612F463E2A394312B9C423EF993CB2D6DB3589E5E720
                                                              Function 50012038 Relevance: 6.3, APIs: 4, Instructions: 314COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84c94b66c65c3e9b87035ca3d27372d4e35400a0308ff6c0a7594b6a834fe7a0
                                                              • Instruction ID: f29600500c8ce473a63ea4a4c58500fabea73661ee4b4393fbd01134744e99f1
                                                              • Opcode Fuzzy Hash: 84c94b66c65c3e9b87035ca3d27372d4e35400a0308ff6c0a7594b6a834fe7a0
                                                              • Instruction Fuzzy Hash: 81A114314093C0AFC706CB609E66959BFB9FF5321071982DAD5808F173D3359AB6D7A2
                                                              Function 5000C120 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@GetMem$qqri.RTL120(?), ref: 5000C1A5
                                                              • @System@@FillChar$qqrpvib.RTL120(?), ref: 5000C1D5
                                                              • @System@Move$qqrpxvpvi.RTL120(?), ref: 5000C1F5
                                                              • @System@DynArrayClear$qqrrpvpv.RTL120 ref: 5000C200
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@$ArrayChar$qqrpvibClear$qqrrpvpvFillMem$qqriMove$qqrpxvpvi
                                                              • String ID:
                                                              • API String ID: 3421884137-0
                                                              • Opcode ID: d72ef6b357c912858527ba27ee4b5402b2d8ef4a25db6a3fc010ba388ca52663
                                                              • Instruction ID: 5db1012356cac20667bbd3f12f650a3e6fe453fe90b972ea62dd2f95c9d85502
                                                              • Opcode Fuzzy Hash: d72ef6b357c912858527ba27ee4b5402b2d8ef4a25db6a3fc010ba388ca52663
                                                              • Instruction Fuzzy Hash: 3B312D71E002599FDB14DF98CCA0ADEF7F1FF49220B518266E819EB352D7709E018B90
                                                              Function 50025A30 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 50024D00: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50025040), ref: 50024D80
                                                                • Part of subcall function 50024D00: @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50025040), ref: 50024D8B
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50025B12), ref: 50025A96
                                                              • @Sysutils@TryStrToTime$qqrx20System@UnicodeStringr16System@TDateTimerx24Sysutils@TFormatSettings.RTL120(?,00000000,50025B12), ref: 50025ACA
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$Sysutils@$StringSystem@@$AnsiCopy$qqrx20DateFormatFromInternalSettingsStr$qqrr20StringiiStringr16Stringx27System@%T$us$i0$%Time$qqrx20Timerx24Trim$qqrx20
                                                              • String ID:
                                                              • API String ID: 2292931001-0
                                                              • Opcode ID: 84447efb2cb3415f8d16ecc4577d258c5cf45c66936d73402ad984f0ee6a8cab
                                                              • Instruction ID: d33868aacac2f56ee1de542acf73dd20ca58ab904041af6ac397144845128ccd
                                                              • Opcode Fuzzy Hash: 84447efb2cb3415f8d16ecc4577d258c5cf45c66936d73402ad984f0ee6a8cab
                                                              • Instruction Fuzzy Hash: 0C315E3090654EEFCF00DFA4E9928DDB7F6EF59301F6046A6E800A7250DB719E05DB99
                                                              Function 50025948 Relevance: 6.1, APIs: 4, Instructions: 81timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 500248EC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50024C6D), ref: 50024968
                                                                • Part of subcall function 500248EC: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50024C6D), ref: 5002498C
                                                                • Part of subcall function 500248EC: @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50024C6D), ref: 50024997
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50025A1C), ref: 500259AA
                                                              • @Sysutils@TryStrToTime$qqrx20System@UnicodeStringr16System@TDateTime.RTL120(00000000,50025A1C), ref: 500259DA
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$AnsiFromInternalStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Copy$qqrx20DateStringiiStringr16TimeTime$qqrx20Trim$qqrx20
                                                              • String ID:
                                                              • API String ID: 2689908369-0
                                                              • Opcode ID: b0c36b5748d489f7461d89ea8bf913bcfd18d707684df885256712fd9f4fa0f3
                                                              • Instruction ID: 93a382b7fa73da40bbc338623e28f744c92bd425220c80b90625fb34c49939c0
                                                              • Opcode Fuzzy Hash: b0c36b5748d489f7461d89ea8bf913bcfd18d707684df885256712fd9f4fa0f3
                                                              • Instruction Fuzzy Hash: E521D13091218ADBDF00DFA4E8829EDB7F6EF48311F6006A2D440E3200EB309E40DB89
                                                              Function 50009B2C Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@NewWideString$qqri.RTL120 ref: 50009B82
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 50009B99
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 50009BA9
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 50009BC7
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Move$qqrpxvpviSystem@$String$qqriSystem@@Wide
                                                              • String ID:
                                                              • API String ID: 2978300780-0
                                                              • Opcode ID: 9ed6245364869eda90bbe2cf8a72df44c5e7e2fe0a89643c11834f0be839a104
                                                              • Instruction ID: 2cc34c0e70a3c0a200f551ea926f3f83d6c741b9e70e651da199dcfddd72ecd4
                                                              • Opcode Fuzzy Hash: 9ed6245364869eda90bbe2cf8a72df44c5e7e2fe0a89643c11834f0be839a104
                                                              • Instruction Fuzzy Hash: D3219D757046458FEB14DE6CE9E089EB3E5EB94220B844B3DE946C7361EA31EC048781
                                                              Function 50024410 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                • Part of subcall function 500243A4: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                                • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,500244C4), ref: 5002446D
                                                                • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,500244C4), ref: 50024472
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$StringSystem@System@@$EnsureString$qqrr20$Len$qqrx20$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 3424071357-0
                                                              • Opcode ID: 163a8ac3203b88bc679271fd277f8823215291bac1fd57a86e87f28860fdda50
                                                              • Instruction ID: f3f28708e52072fea52f12d8c3f656ea0e7ad7d042a07a009517b6842a75c669
                                                              • Opcode Fuzzy Hash: 163a8ac3203b88bc679271fd277f8823215291bac1fd57a86e87f28860fdda50
                                                              • Instruction Fuzzy Hash: 90210531901185DFCB51EFA8D891ADDB7F4EF6A310F6042A2E844D3351E7309E10C791
                                                              Function 50004D88 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,50004E31,00000064,50004D78,0000D7B1,?), ref: 50004DB9
                                                              • @System@SetInOutRes$qqri.RTL120(?,?,?,00000000,?,?,?,?,?,50004E31,00000064,50004D78,0000D7B1,?), ref: 50004DBE
                                                              • @System@SetInOutRes$qqri.RTL120(?,?,?,?,?,50004E31,00000064,50004D78,0000D7B1,?), ref: 50004E01
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Res$qqriSystem@$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2047590429-0
                                                              • Opcode ID: bf90b40dc3696541b7f9f48173c2ea52aa96084c887922c783e3276879b66828
                                                              • Instruction ID: 1d09fb837ef9f7ea7c9092939effd6f02b5de1af5ec234eb996aed797f3fea0c
                                                              • Opcode Fuzzy Hash: bf90b40dc3696541b7f9f48173c2ea52aa96084c887922c783e3276879b66828
                                                              • Instruction Fuzzy Hash: 8C117BB1701148EFEB54DFA9D990A8EB7F8FF58210B504166FC08D7201D670EE00DBA4
                                                              Function 50024634 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                • Part of subcall function 500243A4: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                                • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500246CE), ref: 5002467C
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500246CE), ref: 500246A6
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$StringSystem@System@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$EnsureInternalString$qqrr20$Len$qqrx20
                                                              • String ID:
                                                              • API String ID: 3299320216-0
                                                              • Opcode ID: 063df37b82a887ee646a343d3283fa2db6b459733aeeaa70d7aed97fde92dc1c
                                                              • Instruction ID: f889b8404583497afe00f4d2b022e65e4a04262e97f4224d3da720eb7ba1a7cf
                                                              • Opcode Fuzzy Hash: 063df37b82a887ee646a343d3283fa2db6b459733aeeaa70d7aed97fde92dc1c
                                                              • Instruction Fuzzy Hash: 8D11C630B0218ADFDB51DFA8E94589EB3F9EF963007A14276E940D3215E730EE01D791
                                                              Function 50013328 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Math@IsZero$qqrxgg.RTL120(00000000,00000000,00000000,?,?,?), ref: 5001333F
                                                              • @Math@SameValue$qqrxgxgg.RTL120(00000000,00000000,00000000,00000000,80000000,00003FFF,?,?,?,00000000,00000000,00000000,?,?,?), ref: 50013379
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Math@$SameValue$qqrxgxggZero$qqrxgg
                                                              • String ID:
                                                              • API String ID: 2598474148-0
                                                              • Opcode ID: c5316efb0892469dfe6559604264221be66581b1a931cb23f285ec7ffa091242
                                                              • Instruction ID: 8b6f4d4d102a9fe6760369e0e7593088a52b22f4b9c98d94c50d589b633ebce5
                                                              • Opcode Fuzzy Hash: c5316efb0892469dfe6559604264221be66581b1a931cb23f285ec7ffa091242
                                                              • Instruction Fuzzy Hash: 28110D70E48245B6EF315FA08C027AE7FA0AF01A10F208B4BFEF4A51D1DA724260C789
                                                              Function 500246E0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024767), ref: 50024741
                                                                • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                              • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024767), ref: 50024746
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$StringSystem@System@@$AnsiEnsureFromInternalLen$qqrx20Str$qqrr20String$qqrr20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 2906622797-0
                                                              • Opcode ID: 9cab3a8bcc449554f3d38e26dfc2d9bd4fcf12d5c115a2b1dcda5b5b04b7de7d
                                                              • Instruction ID: a635cd3dcb40994497b53f8fe6e6c41f0fe1daa708a8bd6d2e43c945e9681864
                                                              • Opcode Fuzzy Hash: 9cab3a8bcc449554f3d38e26dfc2d9bd4fcf12d5c115a2b1dcda5b5b04b7de7d
                                                              • Instruction Fuzzy Hash: AF01B13551F1D6AED7A1AFA0F8525EEB7E8EB13300BA106B6ED2082901D3649E00A251
                                                              Function 5000D750 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@DynArrayLength$qqrv.RTL120 ref: 5000D75A
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5000D766
                                                                • Part of subcall function 50009C30: @System@@NewWideString$qqri.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C40
                                                                • Part of subcall function 50009C30: @System@Move$qqrpxvpvi.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C6E
                                                              • @System@@DynArrayLength$qqrv.RTL120 ref: 5000D7C6
                                                              • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5000D7D4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@Wide$ArrayLength$qqrr17Length$qqrvStringi$Move$qqrpxvpviString$qqri
                                                              • String ID:
                                                              • API String ID: 2943924986-0
                                                              • Opcode ID: 085050b287510eb7b9789a4d6570b4c0541888048f5ea3701a0f565ec4d1815e
                                                              • Instruction ID: 5542b4fa33d5804e65baac3af09d9e428f9e0197dd64d1a1656dc7895a855856
                                                              • Opcode Fuzzy Hash: 085050b287510eb7b9789a4d6570b4c0541888048f5ea3701a0f565ec4d1815e
                                                              • Instruction Fuzzy Hash: 4E01F9202149495FD3109F6DD8419ABB3E2EFE0311B40C23BF545C7229EAB49942C290
                                                              Function 500098F4 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@NewWideString$qqri.RTL120 ref: 5000992F
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5000993E
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5000994E
                                                              • @System@@WStrClr$qqrpv.RTL120 ref: 50009962
                                                                • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Move$qqrpxvpviSystem@System@@$Clr$qqrpvFreeStringString$qqriWide
                                                              • String ID:
                                                              • API String ID: 2700047326-0
                                                              • Opcode ID: 2a90c5cc7be5839c9d2fdc1aa24c1342b383aaa77810758ece04b21b21fc663a
                                                              • Instruction ID: 98f1936eb00471f73aa790e79a7215fb5c6e676163bb9629522c800d1bc1a43f
                                                              • Opcode Fuzzy Hash: 2a90c5cc7be5839c9d2fdc1aa24c1342b383aaa77810758ece04b21b21fc663a
                                                              • Instruction Fuzzy Hash: 1501F7313096454BAB14DA6DECA09AEB3D8DF90610B80033DFA84C7351EE20ED05C384
                                                              Function 5001C2C8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 5001C2D3
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5001C348), ref: 5001C300
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @Sysutils@ByteType$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,5001C348), ref: 5001C31C
                                                              • @System@@LStrClr$qqrpv.RTL120(5001C34F), ref: 5001C342
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$ByteClr$qqrpvInternalRef$qqrpvSysutils@T$us$i0$%iType$qqrx27
                                                              • String ID:
                                                              • API String ID: 3795063905-0
                                                              • Opcode ID: 0090cee197739f04d46da03a3fbf7122e71953c6443ae2ffadc7c537a123e11b
                                                              • Instruction ID: edce9a773ba6554bf0e1fbf5d896e20fbc1511fab1bfff3c5ce3298a0291d8fe
                                                              • Opcode Fuzzy Hash: 0090cee197739f04d46da03a3fbf7122e71953c6443ae2ffadc7c537a123e11b
                                                              • Instruction Fuzzy Hash: 47014C30704289EF9B11DEA9DE92C6EB3F8FB482107A18275E504D3251EB70EF80D655
                                                              Function 5000A534 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@UniqueString$qqrr20System@UnicodeString.RTL120 ref: 5000A53F
                                                                • Part of subcall function 5000AAF8: @System@@NewUnicodeString$qqri.RTL120(?,5000A544), ref: 5000AAC6
                                                                • Part of subcall function 5000AAF8: @System@Move$qqrpxvpvi.RTL120(00000000,?,5000A544), ref: 5000AAD7
                                                                • Part of subcall function 5000AAF8: @System@@FreeMem$qqrpv.RTL120(?,5000A544), ref: 5000AAEC
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A559
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@Move$qqrpxvpvi.RTL120 ref: 5000A593
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A59D
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$String$AnsiFromMove$qqrpxvpviStr$qqrr20Stringx27System@%T$us$i0$%$FreeInternalLength$qqrr20Mem$qqrpvString$qqriString$qqrr20StringiUnique
                                                              • String ID:
                                                              • API String ID: 2646382837-0
                                                              • Opcode ID: c65559b3a43a539bc9f39b9396eb3fc635474360def7c2b98761288a201bb686
                                                              • Instruction ID: 572ec78243513e6f1005ed345ec0839db98a53653f4091473b1bd5e8e29c749c
                                                              • Opcode Fuzzy Hash: c65559b3a43a539bc9f39b9396eb3fc635474360def7c2b98761288a201bb686
                                                              • Instruction Fuzzy Hash: E001DF317029624BAB109A3DDDA1559B3A6BFD6215394433AA506CB21EDA71CC0582C1
                                                              Function 500141D4 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@Random$qqrv.RTL120 ref: 500141DA
                                                              • @System@Random$qqrv.RTL120 ref: 500141EF
                                                              • @System@Ln$qqrxg.RTL120(?,?,?), ref: 5001422E
                                                              • @System@Sqrt$qqrxg.RTL120 ref: 50014245
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Random$qqrv$Ln$qqrxgSqrt$qqrxg
                                                              • String ID:
                                                              • API String ID: 817724637-0
                                                              • Opcode ID: a6d630325e0aea591bba7b45fbec38567b7a778495fcfedd49ce34c84d5982ca
                                                              • Instruction ID: fbb615ccd8c33ff108ba09c26bee9e4f63df910d59be1be1ea666f5daae47871
                                                              • Opcode Fuzzy Hash: a6d630325e0aea591bba7b45fbec38567b7a778495fcfedd49ce34c84d5982ca
                                                              • Instruction Fuzzy Hash: 9D11A3A1E0E0A962DB5227B1FC254CD7F74EE52901B968B4BE8E160172E92344B0CB91
                                                              Function 50012310 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(5850026B,5850026B,5850026B,A850017A), ref: 500122D7
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(5850026B,5850026B,5850026B,A850017A), ref: 500122E6
                                                              • @System@@RaiseExcept$qqrv.RTL120(5850026B,5850026B,5850026B,A850017A), ref: 500122EB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$String$Except$qqrvException@$bctr$qqrx20LoadRaiseString$qqrp20System@@Sysutils@Unicode
                                                              • String ID:
                                                              • API String ID: 486460785-0
                                                              • Opcode ID: 7528642fe36d409ab37d41aa7cd802e04feb64ed356f621298a75c45d9c0b7a2
                                                              • Instruction ID: 93523e8249dd9ce77bc6417ffb8b9f6d823e4069e3a6fe8b24fa869761cfaa76
                                                              • Opcode Fuzzy Hash: 7528642fe36d409ab37d41aa7cd802e04feb64ed356f621298a75c45d9c0b7a2
                                                              • Instruction Fuzzy Hash: 73014531108188AFE7219B54FD5285DBBE8EF11B00FA14A67F880C3121EA36AE20C691
                                                              Function 500319C8 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@@VarCast$qqrr8TVarDatarx8TVarDatai.RTL120(?,?,?,50031AAD,?,?,?,?,?,50031D04,?,?,50031826,?,?), ref: 500319EA
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,00000400,00000000,?,?,?,?,50031AAD,?,?,?,?,?,50031D04), ref: 50031A07
                                                              • @Variants@VarResultCheck$qqrlusus.RTL120(?,?,00000400,00000000,?,?,?,?,50031AAD,?,?,?,?,?,50031D04), ref: 50031A33
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Check$qqrlususResultVariants@$Cast$qqrr8DataiDatarx8Variants@@
                                                              • String ID:
                                                              • API String ID: 3943155465-0
                                                              • Opcode ID: 77355a2d1c28337b9aea844143a0d13c94828378edea623601bc6950340cad5c
                                                              • Instruction ID: 02da0ea19857f0b83c7a60a854380d64f6c7b6957c68f820763625778b4e7104
                                                              • Opcode Fuzzy Hash: 77355a2d1c28337b9aea844143a0d13c94828378edea623601bc6950340cad5c
                                                              • Instruction Fuzzy Hash: E8F0F9203028602FC631935E9C41BDB63DAEFE9A13F108117F300DB3A5CE745C46C2A6
                                                              Function 50034C18 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Variants@FindCustomVariantType$qqrxusrp27Variants@TCustomVariantType.RTL120(?), ref: 50034C35
                                                              • VariantInit.OLEAUT32(?), ref: 50034C47
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(?,?,?), ref: 50034C72
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(50034C94), ref: 50034C87
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Variant$CustomVariants@$Asg$qqrpvpxvClear$qqrr8DataFindInitSystem@@TypeType$qqrxusrp27Variants@@
                                                              • String ID:
                                                              • API String ID: 1995072726-0
                                                              • Opcode ID: 6812df16f2223edfe1e65330c5078d0db769e386afd4bd444ac7da077739e644
                                                              • Instruction ID: ea1964087d9d1427a46aa6f3b1a197f893924d0bd2dfccf7274c33013dd2e219
                                                              • Opcode Fuzzy Hash: 6812df16f2223edfe1e65330c5078d0db769e386afd4bd444ac7da077739e644
                                                              • Instruction Fuzzy Hash: 2901D630A05288AFCB42CFA5D8819EEF7F8EF89200F5185B2ED0497251D6749E04C751
                                                              Function 50015CF8 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 50015D0B
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50015D71), ref: 50015D38
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@LStrCopy$qqrv.RTL120(?,00000000,50015D71), ref: 50015D56
                                                              • @System@@LStrClr$qqrpv.RTL120(50015D78), ref: 50015D6B
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiFromStr$qqrr27StringStringusSystem@System@%T$us$i0$%x20Unicode$Clr$qqrpvCopy$qqrvInternalRef$qqrpv
                                                              • String ID:
                                                              • API String ID: 189229420-0
                                                              • Opcode ID: 2c5b7d96146a322dd601ddb1deb345cfb3d3b2af0608aa2e436bffa10a0899dc
                                                              • Instruction ID: 021ebf48e049fbdcf8c921bc4b6c542263af2dc2d6db323e98c0c3942a0dd369
                                                              • Opcode Fuzzy Hash: 2c5b7d96146a322dd601ddb1deb345cfb3d3b2af0608aa2e436bffa10a0899dc
                                                              • Instruction Fuzzy Hash: 4101B130A04685EF9F11CFB8EDA289DB7F9EF482007A046B2E500D7244EB709E40CB90
                                                              Function 5002D5A8 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002D61B), ref: 5002D5E1
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002D61B), ref: 5002D5F4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Internal
                                                              • String ID:
                                                              • API String ID: 4285912285-0
                                                              • Opcode ID: b9cb69941f6bd798a715a23d18ccd4e8101779eda8d34779b1012db782d0a2da
                                                              • Instruction ID: 2bb75f54c739022caca7f9861818caf256e2ce358085963fa9b364de837498d7
                                                              • Opcode Fuzzy Hash: b9cb69941f6bd798a715a23d18ccd4e8101779eda8d34779b1012db782d0a2da
                                                              • Instruction Fuzzy Hash: 0C01A230701A96EFAF01DFA8E9A1859B3F8EF4920079046B2E604D3311EB70EE01D650
                                                              Function 50015BB0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50015C25,?,?,?,?,00000000,00000000), ref: 50015BDC
                                                                • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                              • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,00000000,50015C25,?,?,?,?,00000000,00000000), ref: 50015BF5
                                                                • Part of subcall function 5000A464: @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120(00000000,5000A525), ref: 5000A50A
                                                              • @System@@UStrCatN$qqrv.RTL120(?,?,?,?,?,00000000,50015C25,?,?,?,?,00000000,00000000), ref: 50015C05
                                                                • Part of subcall function 5000A2B4: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A2FE
                                                                • Part of subcall function 5000A2B4: @System@Move$qqrpxvpvi.RTL120(00000000,00000000), ref: 5000A357
                                                                • Part of subcall function 5000A2B4: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A365
                                                                • Part of subcall function 5000A2B4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A37A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@$Unicode$From$CharCopy$qqrx20Len$qqrr20StringStringii$AnsiAsg$qqrr20Clr$qqrpvInternalLength$qqrr20Move$qqrpxvpviN$qqrvStr$qqrr20StringiStringpbiStringpciStringx20Stringx27System@%T$us$i0$%
                                                              • String ID:
                                                              • API String ID: 1635326871-0
                                                              • Opcode ID: 8cb56cd88bb66136543759b54e723b42c2fdfd39fe3a5cbddfe58b74c9f845cd
                                                              • Instruction ID: 01ec1028dada33f9320da5f488b3fc25f556a4d1c72985eefc9655cf80fcc98c
                                                              • Opcode Fuzzy Hash: 8cb56cd88bb66136543759b54e723b42c2fdfd39fe3a5cbddfe58b74c9f845cd
                                                              • Instruction Fuzzy Hash: 0D01F435200248BFEB018E98DC51F9ABBADEF8D320F608676B504D7782DA759E0086A0
                                                              Function 5001980C Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,00000000,50019880), ref: 50019831
                                                              • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(?,00000000,50019880), ref: 50019839
                                                              • CLSIDFromString.OLE32(00000000,?,00000000,50019880), ref: 5001983F
                                                              • @System@@WStrClr$qqrpv.RTL120(50019887,50019880), ref: 5001987A
                                                                • Part of subcall function 500197B8: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?,5001E08F), ref: 500197CC
                                                                • Part of subcall function 500197B8: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?,5001E08F), ref: 500197D1
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$StringSystem@@$FromWide$Char$qqrx17Clr$qqrpvExcept$qqrvException@$bctr$qqrp20RaiseRecpx14RecxiStr$qqrr17Stringx20Sysutils@Unicode
                                                              • String ID:
                                                              • API String ID: 1168828238-0
                                                              • Opcode ID: 9ab87b7335fb4515f68039e7d798c1498550c4d3bc14ec7b5041b138188d54e0
                                                              • Instruction ID: 4276e7b8eb8c2fd0cf21d2c372ffec7e5207b388c706a152fa8cb5ce2d8a9212
                                                              • Opcode Fuzzy Hash: 9ab87b7335fb4515f68039e7d798c1498550c4d3bc14ec7b5041b138188d54e0
                                                              • Instruction Fuzzy Hash: D901D630904688AFEF05CFB5DC519CEB7E8DF4A210F90467AF800D3251EE349E008650
                                                              Function 5000B590 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAddRef$qqrpv.RTL120 ref: 5000B59C
                                                              • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000B600), ref: 5000B5CE
                                                                • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                              • @System@@WStrFromPCharLen$qqrr17System@WideStringpci.RTL120(00000000,5000B600), ref: 5000B5E5
                                                              • @System@@LStrClr$qqrpv.RTL120(5000B607), ref: 5000B5FA
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$FromSystem@$AnsiStr$qqrr27StringStringusSystem@%T$us$i0$%x20Unicode$CharClr$qqrpvInternalLen$qqrr17Ref$qqrpvStringpciWide
                                                              • String ID:
                                                              • API String ID: 179845556-0
                                                              • Opcode ID: 8a79d907e03b4d6e94affb683d3040e6e61c9eeb7bdf99ad1ec3cb23640d17fb
                                                              • Instruction ID: 34ef6e9b8ab651ca66ea423fa2b672ec6f6307ffe3dcc90be6e42d6dd710627f
                                                              • Opcode Fuzzy Hash: 8a79d907e03b4d6e94affb683d3040e6e61c9eeb7bdf99ad1ec3cb23640d17fb
                                                              • Instruction Fuzzy Hash: 8B014F30A14689DFAF15EFB8DD6166EB7F8EB44300BE042B5A404D3294EB75EE00D785
                                                              Function 5001D088 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001D0F1), ref: 5001D0AB
                                                                • Part of subcall function 5001C610: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C61E
                                                                • Part of subcall function 5001C610: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C62F
                                                              • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(00000000,5001D0F1), ref: 5001D0B5
                                                                • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C749
                                                                • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C774
                                                                • Part of subcall function 5001C70C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C79A
                                                              • @System@@UStrDelete$qqrr20System@UnicodeStringii.RTL120(00000000,5001D0F1), ref: 5001D0D6
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$StringiiSysutils@$AnsiCopy$qqrx20ExtractFileFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$Delete$qqrr20Delimiter$qqrx20Drive$qqrx20LastPath$qqrx20Stringt1
                                                              • String ID:
                                                              • API String ID: 2728986464-0
                                                              • Opcode ID: 753f7e1a6c6c97bbf24396121e6cbfb91f1a8a2250ef5da3e68a7d15cb4d6440
                                                              • Instruction ID: b42390ce6f7e2cc3f0a2e75dff1ecda8a9c22fa8fff3ef8285b34e87ebe0e190
                                                              • Opcode Fuzzy Hash: 753f7e1a6c6c97bbf24396121e6cbfb91f1a8a2250ef5da3e68a7d15cb4d6440
                                                              • Instruction Fuzzy Hash: 36F0C230714A889FDB05CFBCDC9195D77E8EB8D210F6046B6F404D3381EA34DE429694
                                                              Function 5000D1EC Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrToString$qqrv.RTL120(00000000,5000D25A,?,?,?,00000000), ref: 5000D229
                                                              • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D25A,?,?,?,00000000), ref: 5000D235
                                                              • @System@UTF8EncodeToShortString$qqrx20System@UnicodeString.RTL120(00000000,5000D25A,?,?,?,00000000), ref: 5000D23F
                                                                • Part of subcall function 5000D160: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D199
                                                                • Part of subcall function 5000D160: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1AD
                                                                • Part of subcall function 5000D160: @System@UnicodeToUtf8$qqrpcuipbui.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1BC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20EncodeInternalShortString$qqrvString$qqrx20Utf8$qqrpcuipbui
                                                              • String ID:
                                                              • API String ID: 3607580448-0
                                                              • Opcode ID: fb3adfc1b616c63d37c10a095645c24805800dc440cd7556cb7450fc6099ad38
                                                              • Instruction ID: 1c16621e2cb8d67273f367093e7f4ec9039ce1562dd6be5a7fed7262e5487efd
                                                              • Opcode Fuzzy Hash: fb3adfc1b616c63d37c10a095645c24805800dc440cd7556cb7450fc6099ad38
                                                              • Instruction Fuzzy Hash: E8F0C238705AC4ABF7109EA5997156A72E9EBA8600FD18273F900C3641DA74DD0392A0
                                                              Function 5000B610 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B67E), ref: 5000B64C
                                                                • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                              • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(00000000,5000B67E), ref: 5000B663
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FromSystem@System@@$AnsiStr$qqrr20StringStringx27System@%T$us$i0$%Unicode$CharInternalLen$qqrr17StringpbiWide
                                                              • String ID:
                                                              • API String ID: 3836375802-0
                                                              • Opcode ID: 121b1d7daa110de507159fd92aaf49f5188387cc7d6252307e2916458b3dc339
                                                              • Instruction ID: 5ba6b1cf659b0eac9df44331a80376275ae431139069cf899d630c05516daaeb
                                                              • Opcode Fuzzy Hash: 121b1d7daa110de507159fd92aaf49f5188387cc7d6252307e2916458b3dc339
                                                              • Instruction Fuzzy Hash: 12016D30A00688DFEB11DFB8D96259DB7F9EB85300BE046B2E504E3254EB35DF10DA40
                                                              Function 5000D0AC Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrAsg$qqrpvpxv.RTL120(00000000,5000D115,?,?,?,00000000), ref: 5000D0E4
                                                              • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D115,?,?,?,00000000), ref: 5000D0F0
                                                              • @System@UTF8Encode$qqrx20System@UnicodeString.RTL120(00000000,5000D115,?,?,?,00000000), ref: 5000D0FA
                                                                • Part of subcall function 5000CF8C: @System@@LStrClr$qqrpv.RTL120(00000000,5000D09C), ref: 5000CFB7
                                                                • Part of subcall function 5000CF8C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D09C), ref: 5000CFDE
                                                                • Part of subcall function 5000CF8C: @System@@LStrSetLength$qqrv.RTL120(00000000,5000D09C), ref: 5000CFF9
                                                                • Part of subcall function 5000CF8C: @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000D09C), ref: 5000D01A
                                                                • Part of subcall function 5000CF8C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,5000D09C), ref: 5000D02E
                                                                • Part of subcall function 5000CF8C: @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,00000000,5000D09C), ref: 5000D037
                                                                • Part of subcall function 5000CF8C: @System@UnicodeToUtf8$qqrpcuipbui.RTL120(00000000,00000000,5000D09C), ref: 5000D040
                                                                • Part of subcall function 5000CF8C: @System@@LStrSetLength$qqrv.RTL120(00000000,00000000,5000D09C), ref: 5000D056
                                                                • Part of subcall function 5000CF8C: @System@@LStrAsg$qqrpvpxv.RTL120(00000000,00000000,5000D09C), ref: 5000D06A
                                                                • Part of subcall function 5000CF8C: @System@@LStrClr$qqrpv.RTL120(5000D0A3), ref: 5000D08E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$System@$StringUnicode$AnsiSystem@%$FromT$us$i0$%$Asg$qqrpvpxvClr$qqrpvInternalLength$qqrvStr$qqrr20Stringx27$Char$qqrx20Char$qqrx27Encode$qqrx20Str$qqrr27StringusT$us$i0$%x20Utf8$qqrpcuipbui
                                                              • String ID:
                                                              • API String ID: 307145936-0
                                                              • Opcode ID: 08819d0066f00755660bc180d09a58690c32542b5e0c166a016e8ed3854df67c
                                                              • Instruction ID: 80467bac8e14cd6db259491f32d78e6933cbc81cdce2657633e505d679178eb2
                                                              • Opcode Fuzzy Hash: 08819d0066f00755660bc180d09a58690c32542b5e0c166a016e8ed3854df67c
                                                              • Instruction Fuzzy Hash: F9F08B38704AC8ABF7109FA49C7166973EEDB84600FE04133F900C3601DB74DD0791A4
                                                              Function 50016C40 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016CA3,?,?,?,?,00000000,00000000), ref: 50016C65
                                                                • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                              • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(?,00000000,50016CA3,?,?,?,?,00000000,00000000), ref: 50016C75
                                                                • Part of subcall function 5001671C: @Strutils@DupeString$qqrx20System@UnicodeStringi.RTL120(?,00000000,500168A1), ref: 50016854
                                                                • Part of subcall function 5001671C: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,500168A1), ref: 50016861
                                                                • Part of subcall function 5001671C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500168A1), ref: 50016871
                                                              • @System@@UStrEqual$qqrv.RTL120(00000000,50016CA3,?,?,?,?,00000000,00000000), ref: 50016C7E
                                                                • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3B7
                                                                • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3CC
                                                                • Part of subcall function 5000A45C: @System@@LStrArrayClr$qqrpvi.RTL120(00000000,00000000), ref: 5000A44F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$From$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$StringiStringx20Strutils@$InternalSoundex$qqrx20$ArrayAsg$qqrr20Cat$qqrr20Cat3$qqrr20Char$qqrr20Clr$qqrpviCopy$qqrx20DupeEqual$qqrvStr$qqriString$qqrx20StringbStringiiStringt2Sysutils@
                                                              • String ID:
                                                              • API String ID: 2206128752-0
                                                              • Opcode ID: af3f8dfbe0403c831ef66ca4008089e9c1e8404da604cf0db340d0fe81840fef
                                                              • Instruction ID: 9212367c84ca732909122d909e52c0543b39d14d0cecfb00a627868e9b79e0b5
                                                              • Opcode Fuzzy Hash: af3f8dfbe0403c831ef66ca4008089e9c1e8404da604cf0db340d0fe81840fef
                                                              • Instruction Fuzzy Hash: 3AF02B3A7042486FD701CAE5DC91AAEB7ADDB8D210F614176F504D3341D934DE018194
                                                              Function 50016CB4 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016D14,?,?,?,?,00000000,00000000), ref: 50016CD9
                                                                • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                              • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(?,00000000,50016D14,?,?,?,?,00000000,00000000), ref: 50016CE9
                                                                • Part of subcall function 5001671C: @Strutils@DupeString$qqrx20System@UnicodeStringi.RTL120(?,00000000,500168A1), ref: 50016854
                                                                • Part of subcall function 5001671C: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,500168A1), ref: 50016861
                                                                • Part of subcall function 5001671C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500168A1), ref: 50016871
                                                              • @Sysutils@AnsiCompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,50016D14,?,?,?,?,00000000,00000000), ref: 50016CF2
                                                                • Part of subcall function 50019FDC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A098), ref: 5001A020
                                                                • Part of subcall function 50019FDC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A098), ref: 5001A048
                                                                • Part of subcall function 50019FDC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A098), ref: 5001A05C
                                                                • Part of subcall function 50019FDC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A098), ref: 5001A066
                                                                • Part of subcall function 50019FDC: CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?,00000000,5001A098), ref: 5001A073
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$System@@$String$AnsiFrom$InternalStr$qqrr20Stringx27System@%T$us$i0$%$StringiStringx20Strutils@$Char$qqrx20CompareSoundex$qqrx20Sysutils@$Asg$qqrr20Cat$qqrr20Cat3$qqrr20Char$qqrr20Copy$qqrx20DupeStr$qqriStr$qqrx20String$qqrx20StringbStringiiStringt1Stringt2
                                                              • String ID:
                                                              • API String ID: 848067345-0
                                                              • Opcode ID: d47b1065cc661f0fcdedfbc1c7e3849fc8159ff95937f3d3b0d532aaeb83b732
                                                              • Instruction ID: a9308b81826aa0c780e1c50b45dfbe856d660fbecc3233872d1bb9e489c68cf2
                                                              • Opcode Fuzzy Hash: d47b1065cc661f0fcdedfbc1c7e3849fc8159ff95937f3d3b0d532aaeb83b732
                                                              • Instruction Fuzzy Hash: BDF0B4357042847BD701CAD5EC91AAEB7EDDB8D610FA14176F504D3381DA74DE418594
                                                              Function 50009390 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@WStrLen$qqrx17System@WideString.RTL120(00000000,500093F1,?,?,?,?,00000000,?,5000938F), ref: 500093AE
                                                              • @System@@LStrFromWStr$qqrr27System@%AnsiStringT$us$i0$%x17System@WideStringus.RTL120(00000000,500093F1,?,?,?,?,00000000,?,5000938F), ref: 500093C8
                                                              • @System@@WriteLString$qqrr15System@TTextRecx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,500093F1,?,?,?,?,00000000,?,5000938F), ref: 500093D4
                                                              • @System@@LStrClr$qqrpv.RTL120(500093F8,?,?,?,00000000,?,5000938F), ref: 500093EB
                                                                • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$StringSystem@$AnsiSystem@%Wide$Clr$qqrpvFreeFromLen$qqrx17Mem$qqrpvRecx27Str$qqrr27String$qqrr15StringusT$us$i0$%iT$us$i0$%x17TextWrite
                                                              • String ID:
                                                              • API String ID: 1130800983-0
                                                              • Opcode ID: b849d90925cc33044c776b6e4e2f5848c8cfe3ce250f7a05f47d86eedd24106f
                                                              • Instruction ID: ef5ea901b8e5fa30709b5689cebf9e2eb1ad37d003b92d6465d3830585f69d9b
                                                              • Opcode Fuzzy Hash: b849d90925cc33044c776b6e4e2f5848c8cfe3ce250f7a05f47d86eedd24106f
                                                              • Instruction Fuzzy Hash: DFF059307042846BEB14CAB8AC71A4EB2DDDB89600FE18577B500C3381DD30DE018690
                                                              Function 5000D5D0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                              • LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120 ref: 5000D62C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$FromSystem@@Unicode$CharChar$qqrr20FindInstance$qqruiLen$qqrr20LoadResourceStringStringpbStringpbi
                                                              • String ID:
                                                              • API String ID: 2990883651-0
                                                              • Opcode ID: 55ca08126530cfa26b8a12066b7b7f1d4282c8620ddcc8f6fe61370ac2b4a099
                                                              • Instruction ID: 492cc944b019d22fa5aeb3a5e8639eadf2eec20015de2a4354c3fe8e2fc88a12
                                                              • Opcode Fuzzy Hash: 55ca08126530cfa26b8a12066b7b7f1d4282c8620ddcc8f6fe61370ac2b4a099
                                                              • Instruction Fuzzy Hash: E7F02EB4701A808BFB10CA8CD8E2F8A73DC8B18201F808223B94CCB346DA21DD0183A2
                                                              Function 5000472C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000473D
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 50004752
                                                              • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,?,00000105), ref: 5000475D
                                                                • Part of subcall function 50009E7C: @System@@NewUnicodeString$qqri.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E87
                                                                • Part of subcall function 50009E7C: @System@Move$qqrpxvpvi.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E9A
                                                                • Part of subcall function 50009E7C: @System@@LStrClr$qqrpv.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009EA1
                                                              • GetCommandLineW.KERNEL32 ref: 50004764
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@System@@Unicode$Asg$qqrr20CharClr$qqrpvCommandFileFromLen$qqrr20LineModuleMove$qqrpxvpviNameStringString$qqriStringpbiStringx20
                                                              • String ID:
                                                              • API String ID: 2864874161-0
                                                              • Opcode ID: b2b830a017bee59d4e872495292ad1b13696414d59f0388ff4c3bb92921b499a
                                                              • Instruction ID: 6a03e17f4bd4c64ae8d53e0fe39c767496f35d0f4fe9983f0094101a5260a8ef
                                                              • Opcode Fuzzy Hash: b2b830a017bee59d4e872495292ad1b13696414d59f0388ff4c3bb92921b499a
                                                              • Instruction Fuzzy Hash: CCF02EB174569053F75191AC5CA1BDF51CA4BC5551F994336BF0CCB342EE70CC0082C6
                                                              Function 5002688C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002689B
                                                              • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,500268EC,?,?,?,?,00000000), ref: 500268C0
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500268EC,?,?,?,?,00000000), ref: 500268CB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20MetaRecxiStringStringpx14Stringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 2203270808-0
                                                              • Opcode ID: ccc7b6e6f2e119070dd8617dd0e382500ae0a435e3e97db025f3ba1d8bace3fb
                                                              • Instruction ID: 62b2d6722134464f4681b16f86bc22ffda435385ec3fff5c8aa35c22120bf3af
                                                              • Opcode Fuzzy Hash: ccc7b6e6f2e119070dd8617dd0e382500ae0a435e3e97db025f3ba1d8bace3fb
                                                              • Instruction Fuzzy Hash: 48F0C275600689AFE700CF94EC51C5AB7ADEB89720B918372F90883740DB31EE01C6D0
                                                              Function 500154BC Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,5001551A,?,?,?,00000000,00000000), ref: 500154DC
                                                                • Part of subcall function 50019EBC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019EF5
                                                                • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F08
                                                                • Part of subcall function 50019EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F13
                                                                • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F1F
                                                                • Part of subcall function 50019EBC: CharUpperBuffW.USER32(00000000,?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000), ref: 50019F25
                                                              • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(?,00000000,5001551A,?,?,?,00000000,00000000), ref: 500154EA
                                                              • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,5001551A,?,?,?,00000000,00000000), ref: 500154F3
                                                                • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 5002879B
                                                                • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 500287C3
                                                                • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287D7
                                                                • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50028822), ref: 500287E0
                                                                • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287F6
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$String$System@@$Ansi$Char$qqrx20$From$InternalStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%Upper$Case$qqrx20Char$BuffLen$qqrr20Pos$qqrx20StringpbiStringt1
                                                              • String ID:
                                                              • API String ID: 1811596575-0
                                                              • Opcode ID: f8655f718251c2dc71c6e2303aeecd35c5678775ca9ef57c7831b282cf33942c
                                                              • Instruction ID: c0b1a5ea2b56544e033e8cc658cc13535f1bdf9ea375e6b9a9d5c146db7ca2d2
                                                              • Opcode Fuzzy Hash: f8655f718251c2dc71c6e2303aeecd35c5678775ca9ef57c7831b282cf33942c
                                                              • Instruction Fuzzy Hash: 74F0E936705744AFEB01CAE4DC51B9DB7EDDB48210F518572F900D7341D6749E0086D4
                                                              Function 5001C5A4 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C5C7
                                                                • Part of subcall function 5001C8E4: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C8F2
                                                                • Part of subcall function 5001C8E4: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C904
                                                              • @Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C5D5
                                                                • Part of subcall function 500286A0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286AB
                                                                • Part of subcall function 500286A0: @Sysutils@IsPathDelimiter$qqrx20System@UnicodeStringi.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286C5
                                                                • Part of subcall function 500286A0: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286D5
                                                              • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C5E0
                                                                • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$Stringx20Sysutils@$Delimiter$qqrx20$Asg$qqrr20Path$Cat$qqrr20Cat3$qqrr20Copy$qqrx20ExtractFileIncludeLastName$qqrx20StringiStringiiStringt1Stringt2Trailing
                                                              • String ID:
                                                              • API String ID: 4289416924-0
                                                              • Opcode ID: cbb00767dfdef57c8a6a94f2a97003c90a3088f6f5a0bed04f05ac7a6cd57dea
                                                              • Instruction ID: 57fd14a13350398e88c99b23b071614aa93d96e5052488e5150640dac515cbaf
                                                              • Opcode Fuzzy Hash: cbb00767dfdef57c8a6a94f2a97003c90a3088f6f5a0bed04f05ac7a6cd57dea
                                                              • Instruction Fuzzy Hash: ABF0BE35305384ABE711DAA5EC51E8AB7ADEBC9620FA14666B904E3341D974EE0085A4
                                                              Function 5002889C Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288BC
                                                                • Part of subcall function 50019F4C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019FD0), ref: 50019F85
                                                                • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019FD0), ref: 50019F98
                                                                • Part of subcall function 50019F4C: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019FD0), ref: 50019FA3
                                                                • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019FD0), ref: 50019FAF
                                                                • Part of subcall function 50019F4C: CharLowerBuffW.USER32(00000000,?,00000000,50019FD0), ref: 50019FB5
                                                              • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(?,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288CA
                                                              • @Sysutils@CompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288D3
                                                                • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019BF4
                                                                • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C09
                                                                • Part of subcall function 50019BD4: @System@@LStrArrayClr$qqrpvi.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C5A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$Ansi$From$LowerStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Case$qqrx20CharChar$qqrx20$ArrayBuffClr$qqrpviCompareInternalLen$qqrr20Str$qqrx20StringpbiStringt1
                                                              • String ID:
                                                              • API String ID: 2714845271-0
                                                              • Opcode ID: 5ad6f6ad8a74d05bca40f67ae65e425fd22752f68b44519822e8c10b39ad4a31
                                                              • Instruction ID: 3b1375f16a59b80594c295dcd8003e2593a585a6f493d83d981e7d870c7d49f9
                                                              • Opcode Fuzzy Hash: 5ad6f6ad8a74d05bca40f67ae65e425fd22752f68b44519822e8c10b39ad4a31
                                                              • Instruction Fuzzy Hash: EBF08936705344BFDB01DAE4ED51BDEB7EDDF48610F5145B2F900D3641D6749E408694
                                                              Function 500265E8 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                              • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Unicode$System@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20MetaRecxiStringStringpx14Stringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 2203270808-0
                                                              • Opcode ID: 8a06c8108bb7d8ccefdc9901acd0eb074360c6541fd827dabcbd55e415eef1b7
                                                              • Instruction ID: 5c853f4ed2ac0c9bc1a77cb935357e7c10a3e6514227e9817a7166fb08a22db9
                                                              • Opcode Fuzzy Hash: 8a06c8108bb7d8ccefdc9901acd0eb074360c6541fd827dabcbd55e415eef1b7
                                                              • Instruction Fuzzy Hash: D6F0B431605589AFD710CA94EC52D5EB7ADEB8A660FA18372F90893640DA31AE05C691
                                                              Function 5001BC10 Relevance: 6.0, APIs: 4, Instructions: 36timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?), ref: 5001BC21
                                                              • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 5001BC27
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,00000000,?), ref: 5001BC3E
                                                              • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 5001BC4F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileTime$AttributesChar$qqrx20DateLocalStringSystem@System@@Unicode
                                                              • String ID:
                                                              • API String ID: 621471433-0
                                                              • Opcode ID: 11ddeee012ef72541587c81d2c4f6ae2ffdcb67a1e5da0485f11f4257ba00eeb
                                                              • Instruction ID: 2ec93d420f7fcb1b567d715506b069df497adf6230f9334c837aee8c9b07c3bb
                                                              • Opcode Fuzzy Hash: 11ddeee012ef72541587c81d2c4f6ae2ffdcb67a1e5da0485f11f4257ba00eeb
                                                              • Instruction Fuzzy Hash: 6BF0BD72A0528DA6DB11EAE4DD85EDFB3BCAB04210F404766B914E3182EB74AA0457D0
                                                              Function 50021698 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrFromPWChar$qqrr27System@%AnsiStringT$us$i0$%pbus.RTL120(?,00000000,500216F0,?,?,?,?,00000000), ref: 500216C2
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,500216F0,?,?,?,?,00000000), ref: 500216CA
                                                              • @Sysutils@TextToFloat$qqrpcpv20Sysutils@TFloatValuerx24Sysutils@TFormatSettings.RTL120(?,00000000,500216F0,?,?,?,?,00000000), ref: 500216D3
                                                                • Part of subcall function 50021580: @System@FPower10$qqrv.RTL120 ref: 50021606
                                                              • @System@@LStrClr$qqrpv.RTL120(500216F7,?,?,?,00000000), ref: 500216EA
                                                                • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$Sysutils@$AnsiStringSystem@%$Char$qqrr27Char$qqrx27Clr$qqrpvFloatFloat$qqrpcpv20FormatFreeFromMem$qqrpvPower10$qqrvSettingsSystem@T$us$i0$%T$us$i0$%pbusTextValuerx24
                                                              • String ID:
                                                              • API String ID: 3176001047-0
                                                              • Opcode ID: 096e108351b0c95bdd88cef74aa5ff209f8a2702cfba72334109f8fd92193702
                                                              • Instruction ID: 9fd13c48b86fe8ba40560011224ed825752708d08ad58dc217336ba303494022
                                                              • Opcode Fuzzy Hash: 096e108351b0c95bdd88cef74aa5ff209f8a2702cfba72334109f8fd92193702
                                                              • Instruction Fuzzy Hash: 43F02731305244ABE704CAA5FC61A9EB7EEEFE9640FA64176F505C3741DA70AD018694
                                                              Function 50028834 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,5002888D,?,?,?,00000000,00000000), ref: 50028854
                                                                • Part of subcall function 50019F4C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019FD0), ref: 50019F85
                                                                • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019FD0), ref: 50019F98
                                                                • Part of subcall function 50019F4C: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019FD0), ref: 50019FA3
                                                                • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019FD0), ref: 50019FAF
                                                                • Part of subcall function 50019F4C: CharLowerBuffW.USER32(00000000,?,00000000,50019FD0), ref: 50019FB5
                                                              • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(?,00000000,5002888D,?,?,?,00000000,00000000), ref: 50028862
                                                              • @Sysutils@CompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,5002888D,?,?,?,00000000,00000000), ref: 5002886B
                                                                • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019BF4
                                                                • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C09
                                                                • Part of subcall function 50019BD4: @System@@LStrArrayClr$qqrpvi.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C5A
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$StringSystem@@$Ansi$From$LowerStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Case$qqrx20CharChar$qqrx20$ArrayBuffClr$qqrpviCompareInternalLen$qqrr20Str$qqrx20StringpbiStringt1
                                                              • String ID:
                                                              • API String ID: 2714845271-0
                                                              • Opcode ID: 305cfe6e8fe4599ad0224e3db809e64d7292e10cee766da07364fbdc4708b33c
                                                              • Instruction ID: 78bc52d133ef3eee87fb56faae3835f84c1f75803b4e5c0fcda7dd3ba297cfd4
                                                              • Opcode Fuzzy Hash: 305cfe6e8fe4599ad0224e3db809e64d7292e10cee766da07364fbdc4708b33c
                                                              • Instruction Fuzzy Hash: 5CF05E39705688BBEB01DAA4EC91F9EB7EDDB88610F9186B2F500D7641E674AE008694
                                                              Function 50026914 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 50026923
                                                              • @Sysutils@LoadStr$qqri.RTL120(00000000,5002696D,?,?,?,?,00000000), ref: 50026941
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002696D,?,?,?,?,00000000), ref: 5002694C
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$Asg$qqrr20ClassClassoCreate$qqrp17LoadMetaStr$qqriStringStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 1550118436-0
                                                              • Opcode ID: 034090b49bb97b67128a40d4687890c5d9aaa484eac5c38350ac9ee2cffa029a
                                                              • Instruction ID: 078013d5af54c5226b3ab0755ea7a38ccff1b0ce4df6d013d20a1ea011b46d79
                                                              • Opcode Fuzzy Hash: 034090b49bb97b67128a40d4687890c5d9aaa484eac5c38350ac9ee2cffa029a
                                                              • Instruction Fuzzy Hash: 12F05971500685BFD700CF64EC52C5AB7ACEB86710F918372F90897340EB31AE04C6D0
                                                              Function 50015C58 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50015CAE), ref: 50015C87
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50015CAE), ref: 50015C93
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@Unicode$Asg$qqrr20StringStringx20System@@
                                                              • String ID:
                                                              • API String ID: 2900266584-0
                                                              • Opcode ID: 980095aa4e241e9a3d1db5ea2f41c3d6ed3e039b286bf848a9136646c47f4e17
                                                              • Instruction ID: 0a1459572a6aba790754909bdfcb037c330aa85f6d23f18ce1b31e8537a0f504
                                                              • Opcode Fuzzy Hash: 980095aa4e241e9a3d1db5ea2f41c3d6ed3e039b286bf848a9136646c47f4e17
                                                              • Instruction Fuzzy Hash: D7F0A730605288EFAB15DF99DD2286EBBECDF996507A14573F904D7310E6709E00D6D0
                                                              Function 500043E4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LGetDir$qqrucr27System@%AnsiStringT$us$i0$%.RTL120(00000000,50004446), ref: 50004409
                                                                • Part of subcall function 500042F0: GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004321
                                                                • Part of subcall function 500042F0: SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004327
                                                                • Part of subcall function 500042F0: GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004336
                                                                • Part of subcall function 500042F0: SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004347
                                                                • Part of subcall function 500042F0: @System@@LStrFromArray$qqrr27System@%AnsiStringT$us$i0$%pcius.RTL120(00000000,00000105,?), ref: 50004359
                                                              • @System@@LStrToString$qqrv.RTL120(00000000,50004446), ref: 5000441C
                                                                • Part of subcall function 50008BDC: @System@Move$qqrpxvpvi.RTL120(?,50004421,00000000,50004446), ref: 50008BF2
                                                              • @System@@PStrNCpy$qqrp28System@%SmallString$iuc$255%t1uc.RTL120(00000000,50004446), ref: 5000442B
                                                                • Part of subcall function 50004F14: @System@Move$qqrpxvpvi.RTL120(?,50004430,00000000,50004446), ref: 50004F26
                                                              • @System@@LStrClr$qqrpv.RTL120(5000444D), ref: 50004440
                                                                • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$CurrentDirectory$System@%$AnsiMove$qqrpxvpviStringSystem@$Array$qqrr27Clr$qqrpvCpy$qqrp28Dir$qqrucr27FreeFromMem$qqrpvSmallString$iuc$255%t1ucString$qqrvT$us$i0$%T$us$i0$%pcius
                                                              • String ID:
                                                              • API String ID: 506161246-0
                                                              • Opcode ID: 692566ae1197cd59d330c93bd91ad5e67e88b7571903b626b87b6deb05836648
                                                              • Instruction ID: 1f1c8239afc9ae75611213fcacec5c0f4d323074735c47231db78d41111fae57
                                                              • Opcode Fuzzy Hash: 692566ae1197cd59d330c93bd91ad5e67e88b7571903b626b87b6deb05836648
                                                              • Instruction Fuzzy Hash: 6EF0E9B0A042489FE714DF95EDA199EB3BAFBC8300FD042BAA90493741DB741F048595
                                                              Function 5002151C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@LStrFromPWChar$qqrr27System@%AnsiStringT$us$i0$%pbus.RTL120(00000000,50021570,?,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 50021542
                                                              • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021570,?,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 5002154A
                                                              • @Sysutils@TextToFloat$qqrpcpv20Sysutils@TFloatValue.RTL120(00000000,50021570,?,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 50021553
                                                                • Part of subcall function 50021408: @System@FPower10$qqrv.RTL120(00000000,00000000,?,00000000), ref: 5002148D
                                                              • @System@@LStrClr$qqrpv.RTL120(50021577,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 5002156A
                                                                • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@@$AnsiStringSystem@%Sysutils@$Char$qqrr27Char$qqrx27Clr$qqrpvFloatFloat$qqrpcpv20FreeFromMem$qqrpvPower10$qqrvSystem@T$us$i0$%T$us$i0$%pbusTextValue
                                                              • String ID:
                                                              • API String ID: 3332700872-0
                                                              • Opcode ID: 3868efb18936c867525fd66657176d425ff5bb23a5c2c67d669c6902671eb1b7
                                                              • Instruction ID: d635544f2e29b8d36e0ff77d7db167ac281d6be62c4688162a595b10ac468aae
                                                              • Opcode Fuzzy Hash: 3868efb18936c867525fd66657176d425ff5bb23a5c2c67d669c6902671eb1b7
                                                              • Instruction Fuzzy Hash: 4EF05C31705244ABE304DAA5FC22A5DF6DDDFDA240FE10176F504D3341D9309E018290
                                                              Function 50026668 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 50026677
                                                              • @Sysutils@LoadStr$qqri.RTL120(00000000,500266BB,?,?,?,?,00000000), ref: 50026695
                                                              • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500266BB,?,?,?,?,00000000), ref: 500266A0
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Unicode$Asg$qqrr20ClassClassoCreate$qqrp17LoadMetaStr$qqriStringStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 1550118436-0
                                                              • Opcode ID: 7999dc591e2fe863dded708c101b128678d951501262c20680e16ba129308214
                                                              • Instruction ID: 6d5eb7f83aa1e2fd7c5966daae1cddd1a1bec88c9349280672d0eb764180ee1f
                                                              • Opcode Fuzzy Hash: 7999dc591e2fe863dded708c101b128678d951501262c20680e16ba129308214
                                                              • Instruction Fuzzy Hash: B6F02771201585AFE701C6A4ED66C5EB7ADDB8AA50F914773F90493250EB319E05C1D0
                                                              Function 50011068 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 5001106D
                                                              • @Character@TCharacter@CheckPunctuation$qqr26Character@TUnicodeCategory.RTL120 ref: 50011080
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50011090
                                                              • @Character@TCharacter@CheckPunctuation$qqr26Character@TUnicodeCategory.RTL120 ref: 500110C9
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@$CategoryCheckPunctuation$qqr26Unicode$Initialize$qqrvLatin1$qqrb
                                                              • String ID:
                                                              • API String ID: 484436152-0
                                                              • Opcode ID: 52ede1bb95d7295b06e80802bbd38fe83311b756c692b49ea5d382278e8cd971
                                                              • Instruction ID: 7d71bda536cb03520909d9fae99c602a8809cf4c5d9d924bc7c1391ccae14e08
                                                              • Opcode Fuzzy Hash: 52ede1bb95d7295b06e80802bbd38fe83311b756c692b49ea5d382278e8cd971
                                                              • Instruction Fuzzy Hash: FFF0B490B154A00BD3148761EC6167433E2A799306749417EF487CFA97DB3985E9E720
                                                              Function 50035408 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 50035418
                                                              • @Variants@@VarCopy$qqrr8TVarDatarx8TVarData.RTL120(00000000,5003545E,?,?,?,?), ref: 50035430
                                                              • @Variants@@VarToWStr$qqrr17System@WideStringrx8TVarData.RTL120(?,?,?,?), ref: 50035443
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(50035465,?), ref: 50035458
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DataVariants@@$Clear$qqrr8Copy$qqrr8Datarx8InitStr$qqrr17Stringrx8System@VariantWide
                                                              • String ID:
                                                              • API String ID: 624794194-0
                                                              • Opcode ID: 6b63245a20f1eb38ffd970ee5c0938cccb914511c5db392fd5e623de6624604f
                                                              • Instruction ID: bfc4515f3b2110e8e2ff6e1677464bd507c6d1f87ba6beb108f7212765f465d6
                                                              • Opcode Fuzzy Hash: 6b63245a20f1eb38ffd970ee5c0938cccb914511c5db392fd5e623de6624604f
                                                              • Instruction Fuzzy Hash: 14F0EC3091069D8FCB06CBA4EC428EEB3ACEF49211B810A33F510D2260FA34A90086A4
                                                              Function 500114F4 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 500114F9
                                                              • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120 ref: 5001150C
                                                              • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 5001151C
                                                              • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120 ref: 50011555
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Character@$CategoryCheckSymbol$qqr26Unicode$Initialize$qqrvLatin1$qqrb
                                                              • String ID:
                                                              • API String ID: 691609695-0
                                                              • Opcode ID: fe5f3e23eb1f0a261a5750bcabd28b339d05d764b1ddcb6578aceedb70423048
                                                              • Instruction ID: 7b396b0d8ffb9378e5810028f15ef3c5548f1d5ddace2a8aa8357158f6fe202e
                                                              • Opcode Fuzzy Hash: fe5f3e23eb1f0a261a5750bcabd28b339d05d764b1ddcb6578aceedb70423048
                                                              • Instruction Fuzzy Hash: 37F0BE91B154A04BD31887A1EC6127533E367D531274841BEF487CB2A3DB38C9E9E660
                                                              Function 50035AF4 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 50035B04
                                                              • @Variants@@VarCopy$qqrr8TVarDatarx8TVarData.RTL120(00000000,50035B4A,?,?,?,?), ref: 50035B1C
                                                              • @Variants@@VarToUStr$qqrr20System@UnicodeStringrx8TVarData.RTL120(?,?,?,?), ref: 50035B2F
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(50035B51,?), ref: 50035B44
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DataVariants@@$Clear$qqrr8Copy$qqrr8Datarx8InitStr$qqrr20Stringrx8System@UnicodeVariant
                                                              • String ID:
                                                              • API String ID: 1468330936-0
                                                              • Opcode ID: 06cfeee0a6fcf60786b3d31dc2246aab1179ed64e64cdb3810cc65447ef0e45c
                                                              • Instruction ID: be030533f1588a6be419db2ab8460c97b0700afb37878b8d6ee957e60b2b799b
                                                              • Opcode Fuzzy Hash: 06cfeee0a6fcf60786b3d31dc2246aab1179ed64e64cdb3810cc65447ef0e45c
                                                              • Instruction Fuzzy Hash: DDF08C319246999FDB16DBA4EC528EEB3ACFF49211B810E73E510D3261FA34A90486A4
                                                              Function 50034BB4 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 50034BC4
                                                              • @Variants@@VarCopy$qqrr8TVarDatarx8TVarData.RTL120(00000000,50034C0A,?,?,?,?), ref: 50034BDC
                                                              • @Variants@@VarToLStr$qqrr27System@%AnsiStringT$us$i0$%rx8TVarData.RTL120(?,?,?,?), ref: 50034BEF
                                                              • @Variants@@VarClear$qqrr8TVarData.RTL120(50034C11,?), ref: 50034C04
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DataVariants@@$AnsiClear$qqrr8Copy$qqrr8Datarx8InitStr$qqrr27StringSystem@%T$us$i0$%rx8Variant
                                                              • String ID:
                                                              • API String ID: 4239972150-0
                                                              • Opcode ID: ce903c79d1aa30caf9bc309beb0234f66068405bd776285d823b15bf01630d18
                                                              • Instruction ID: 50cfb5bd7090002bc9a17336f9fd827c0b7584578943761c5f951bb34ec717ca
                                                              • Opcode Fuzzy Hash: ce903c79d1aa30caf9bc309beb0234f66068405bd776285d823b15bf01630d18
                                                              • Instruction Fuzzy Hash: 76F082319256999FDB46DFA4EC518EE73ACFF4C210B410A33E910D2651EA34A9048694
                                                              Function 500226AC Relevance: 6.0, APIs: 4, Instructions: 31timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@DecodeDate$qqrx16System@TDateTimerust2t2.RTL120(?,?), ref: 500226C4
                                                                • Part of subcall function 500224F0: @Sysutils@DecodeDateFully$qqrx16System@TDateTimerust2t2t2.RTL120(?,?,5001D662,?,?,?,5001D662,?,?), ref: 50022503
                                                              • @Sysutils@IncAMonth$qqrrust1t1i.RTL120(?,?,?), ref: 500226D3
                                                                • Part of subcall function 50022708: @Sysutils@IsLeapYear$qqrus.RTL120 ref: 50022767
                                                              • @Sysutils@EncodeDate$qqrususus.RTL120(?,?,?), ref: 500226E4
                                                                • Part of subcall function 50022374: @Sysutils@TryEncodeDate$qqrusususr16System@TDateTime.RTL120 ref: 50022387
                                                              • @Sysutils@ReplaceTime$qqrr16System@TDateTimex16System@TDateTime.RTL120(?,?,?,?,?), ref: 500226F6
                                                                • Part of subcall function 50022798: @System@@TRUNC$qqrv.RTL120 ref: 500227A3
                                                                • Part of subcall function 50022798: @System@Frac$qqrxg.RTL120 ref: 500227CC
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sysutils@$DateSystem@$DecodeEncodeTime$C$qqrvDate$qqrusususDate$qqrusususr16Date$qqrx16Frac$qqrxgFully$qqrx16LeapMonth$qqrrust1t1iReplaceSystem@@Time$qqrr16Timerust2t2Timerust2t2t2Timex16Year$qqrus
                                                              • String ID:
                                                              • API String ID: 4205208091-0
                                                              • Opcode ID: 588e2177f7e5a343351c1f5257f7af4bba4bff301c8b8eac32b1d71317e14410
                                                              • Instruction ID: 90397f2099132ae17983f43b1299ad6055f1b282f2460c1bcfdd474071a034a8
                                                              • Opcode Fuzzy Hash: 588e2177f7e5a343351c1f5257f7af4bba4bff301c8b8eac32b1d71317e14410
                                                              • Instruction Fuzzy Hash: 15F0A97180510FBACF009FD1E9818ECBBB9FF54219F408692F85465151EB32A769D794
                                                              Function 5002D730 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%.RTL120(?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D73E
                                                                • Part of subcall function 5002D4E0: @System@@DynArrayLength$qqrv.RTL120(?,?,5002D743,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D4E8
                                                                • Part of subcall function 5002D4E0: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%ii.RTL120(00000000,?,?,5002D743,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D4F4
                                                              • @System@@DynArraySetLength$qqrv.RTL120(00000000,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D753
                                                                • Part of subcall function 5000C0F4: @System@DynArraySetLength$qqrrpvpvipi.RTL120 ref: 5000C0F9
                                                              • @System@@DynArrayLength$qqrv.RTL120 ref: 5002D75D
                                                              • @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%iir25System@%DynamicArray$tuc%i.RTL120(00000000,?,00000000), ref: 5002D76C
                                                                • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7A6
                                                                • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7AB
                                                                • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7C9
                                                                • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7CE
                                                                • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D7F1
                                                                • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D7F6
                                                                • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D819
                                                                • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D81E
                                                                • Part of subcall function 5002D778: @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D826
                                                                • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D84B
                                                                • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D850
                                                                • Part of subcall function 5002D778: @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D85A
                                                                • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D885
                                                                • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D88A
                                                                • Part of subcall function 5002D778: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%ii.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D898
                                                                • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D8B3
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@Sysutils@$Exception@$bctr$qqrp20String$ArrayExcept$qqrvRaise$DynamicLength$qqrvSystem@%$Encoding@Recpx14Recxi$ByteCount$qqrx24$Array$tb%ii$Array$tb%Array$tb%iir25Array$tuc%iBytes$qqrx24Length$qqrrpvpvipi
                                                              • String ID:
                                                              • API String ID: 2407772116-0
                                                              • Opcode ID: 1dc450ecc9b7c26e56a1978d27bd101473ac7bfdd39d81aed57d41dd007fa2c2
                                                              • Instruction ID: 9aaef7661f88e341657fce88e442fcf8159dd86dd4df8b5ba2cc1c183d9f0c43
                                                              • Opcode Fuzzy Hash: 1dc450ecc9b7c26e56a1978d27bd101473ac7bfdd39d81aed57d41dd007fa2c2
                                                              • Instruction Fuzzy Hash: BAE04F6170615427E21462AEBC42E3BA6CEC7D8A21F50413BBA09C7352DCA5EC0242E4
                                                              Function 5002C220 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002C22A
                                                              • @System@TObject@$bctr$qqrv.RTL120(?,?,?,5002C1FA), ref: 5002C239
                                                              • @Sysutils@TStringBuilder@set_Capacity$qqri.RTL120(?,?,?,5002C1FA), ref: 5002C249
                                                              • @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,5002C1FA), ref: 5002C259
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$AfterBuilder@set_Capacity$qqriClassClassoConstruction$qqrp14Create$qqrp17MetaObjectObject@$bctr$qqrvStringSysutils@
                                                              • String ID:
                                                              • API String ID: 1727176548-0
                                                              • Opcode ID: 68ad4378320049a673c0ba78b27b0f3727ba377b8d7406c843f74b7b50d33d9b
                                                              • Instruction ID: f4a9a15b8d1a87e593a23b1651af1a404b07da154b15add0f3e5161749c54f5b
                                                              • Opcode Fuzzy Hash: 68ad4378320049a673c0ba78b27b0f3727ba377b8d7406c843f74b7b50d33d9b
                                                              • Instruction Fuzzy Hash: E9E022B3B02481878300C6AE7C41A6676C78FC5570B188332B028CB385EB268C1603E2
                                                              Function 500142F8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50014342,?,00000000), ref: 50014313
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50014342,?,00000000), ref: 50014322
                                                                • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50014342,?,00000000), ref: 50014327
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 336146123-0
                                                              • Opcode ID: 98ccc1d5f2630f6518c2775a4f6d229749f85d97b1d2f6e253096087c6293393
                                                              • Instruction ID: ccdb1991516171cd19e0ef9f1dd462ec752cf41ca7ab63605b4c294a36c3ea3a
                                                              • Opcode Fuzzy Hash: 98ccc1d5f2630f6518c2775a4f6d229749f85d97b1d2f6e253096087c6293393
                                                              • Instruction Fuzzy Hash: 46E092341156C8EFE711DBA4ED62869B3B8EF94700F914563F90083661DA316F04D990
                                                              Function 5002C360 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @Sysutils@TStringBuilder@get_Capacity$qqrv.RTL120(?,?,5002CECE), ref: 5002C366
                                                                • Part of subcall function 5002C39C: @System@@DynArrayLength$qqrv.RTL120(5002CEC3), ref: 5002C39F
                                                              • @Sysutils@TStringBuilder@get_MaxCapacity$qqrv.RTL120(?,?,5002CECE), ref: 5002C37C
                                                              • @Sysutils@TStringBuilder@get_MaxCapacity$qqrv.RTL120(?,?,5002CECE), ref: 5002C387
                                                              • @Sysutils@TStringBuilder@set_Capacity$qqri.RTL120(?,?,5002CECE), ref: 5002C392
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: StringSysutils@$Builder@get_Capacity$qqrv$ArrayBuilder@set_Capacity$qqriLength$qqrvSystem@@
                                                              • String ID:
                                                              • API String ID: 1916226493-0
                                                              • Opcode ID: d0824a8af33cadbe3178f22280927c209b2c4cdd0f5c74774a72a4c6b9b60ecc
                                                              • Instruction ID: 23260aa18dfd21666b53627013c0cc0a4d10d4ba6927f08ef2018b0f3389f9ba
                                                              • Opcode Fuzzy Hash: d0824a8af33cadbe3178f22280927c209b2c4cdd0f5c74774a72a4c6b9b60ecc
                                                              • Instruction Fuzzy Hash: 2EE0E223B135B2078720E9BCBCC188D41C84A280B030AAF77F805EB303E5A9CE8543C0
                                                              Function 5003070C Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030756,?,00000000), ref: 50030727
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030756,?,00000000), ref: 50030736
                                                                • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50030756,?,00000000), ref: 5003073B
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 336146123-0
                                                              • Opcode ID: 9adbf1e102df835a60131fb93e77b0ad724821b13bdac4217d23f11bd0adb454
                                                              • Instruction ID: 7b96b98e3e44b9784b1c23c869ab84a684675366666c903ca15437983a838fae
                                                              • Opcode Fuzzy Hash: 9adbf1e102df835a60131fb93e77b0ad724821b13bdac4217d23f11bd0adb454
                                                              • Instruction Fuzzy Hash: 12E09234505588EFEB22DB90FD629AAB3A9EB59700FE10573F90083651DA317E00D9A0
                                                              Function 500307FC Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030846,?,00000000), ref: 50030817
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030846,?,00000000), ref: 50030826
                                                                • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50030846,?,00000000), ref: 5003082B
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 336146123-0
                                                              • Opcode ID: 6f18f2c73f444128e5a733a293f07d3ed2a7dced5cd209cccd8cd0d28c8d86e9
                                                              • Instruction ID: 0fd73ecdc63e3906adab3347c8ca8083b58c1d45574116356cda35ff769876bc
                                                              • Opcode Fuzzy Hash: 6f18f2c73f444128e5a733a293f07d3ed2a7dced5cd209cccd8cd0d28c8d86e9
                                                              • Instruction Fuzzy Hash: D5E09234105688EFEB11DFA1EE6296AB3A9EB94740FA10573F90482651DE316E00D990
                                                              Function 50030850 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,5003089A,?,00000000), ref: 5003086B
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,5003089A,?,00000000), ref: 5003087A
                                                                • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,5003089A,?,00000000), ref: 5003087F
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 336146123-0
                                                              • Opcode ID: 801a26064422de4bee8b03e7eabf7526823dfbc5163cdb4573ffbdd956c762c3
                                                              • Instruction ID: 375d69ef3d01049e605aa9f8fdfeda863f1c380b39b0ffaf094c9cd922885603
                                                              • Opcode Fuzzy Hash: 801a26064422de4bee8b03e7eabf7526823dfbc5163cdb4573ffbdd956c762c3
                                                              • Instruction Fuzzy Hash: A7E09B34105684DFFB12DB94ED7399A73A8EB54700F9105B3F90142651DE356E00D990
                                                              Function 50030A34 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030A7E,?,00000000), ref: 50030A4F
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030A7E,?,00000000), ref: 50030A5E
                                                                • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50030A7E,?,00000000), ref: 50030A63
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 336146123-0
                                                              • Opcode ID: f1687f117a903241ffaa1fa5060f16201b683147ee7a1374503e745b60fd8754
                                                              • Instruction ID: 7528d12fff5074f310ed779a2ab25226a40bb15e629f8c4203f1ec9f173bc9b7
                                                              • Opcode Fuzzy Hash: f1687f117a903241ffaa1fa5060f16201b683147ee7a1374503e745b60fd8754
                                                              • Instruction Fuzzy Hash: BDE0D834105A88EFEB12DBE0FD729AAB7B9EB59700F914577F90083651DF316E00D991
                                                              Function 50030DA0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030DEA,?,00000000), ref: 50030DBB
                                                                • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                              • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030DEA,?,00000000), ref: 50030DCA
                                                                • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                              • @System@@RaiseExcept$qqrv.RTL120(00000000,50030DEA,?,00000000), ref: 50030DCF
                                                                • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                              • String ID:
                                                              • API String ID: 336146123-0
                                                              • Opcode ID: fe9f18572c1f18bd5478f3c50b2f1ca1082490e108775c7d732fa2d6dcab26f2
                                                              • Instruction ID: e95919099a761305471392459d198913835e1fb163ce40832130d89749eb3eb0
                                                              • Opcode Fuzzy Hash: fe9f18572c1f18bd5478f3c50b2f1ca1082490e108775c7d732fa2d6dcab26f2
                                                              • Instruction Fuzzy Hash: A4E09234116688EFEB12DBE4FD72D9AB3E8FB54700F914563F90082651DA31BE00D990
                                                              Function 5000212C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 22sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,50003885), ref: 50002142
                                                              • Sleep.KERNEL32(0000000A,00000000,50003885), ref: 5000215B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: LJP$LJP
                                                              • API String ID: 3472027048-3339104776
                                                              • Opcode ID: c164c85c6bd618db57c2144687f5cfb642152b2fc34a6d7309f96ec3fd8f8499
                                                              • Instruction ID: 1f4c43393d7b9fdfd9f5fbbc5e004a109d874a1f633b2967da1b9418d077b2a2
                                                              • Opcode Fuzzy Hash: c164c85c6bd618db57c2144687f5cfb642152b2fc34a6d7309f96ec3fd8f8499
                                                              • Instruction Fuzzy Hash: 56E0CD286083C112FB8056F028397DF17C30BB1584FC4038AEF54471D3C67A68055346
                                                              Function 50005124 Relevance: 6.0, APIs: 4, Instructions: 20fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@SetInOutRes$qqri.RTL120 ref: 5000513C
                                                              • DeleteFileW.KERNEL32(?), ref: 50005147
                                                              • GetLastError.KERNEL32(?), ref: 50005150
                                                              • @System@SetInOutRes$qqri.RTL120(?), ref: 50005155
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Res$qqriSystem@$DeleteErrorFileLast
                                                              • String ID:
                                                              • API String ID: 2381681663-0
                                                              • Opcode ID: f50552c7c8a8d1e0cbec7b417928886d24a38268f93fe67ec141b2c984adff18
                                                              • Instruction ID: bb7ad3ba53af60b48c6de9ba25e781b0205e3d77af95161216580be110d8d8b4
                                                              • Opcode Fuzzy Hash: f50552c7c8a8d1e0cbec7b417928886d24a38268f93fe67ec141b2c984adff18
                                                              • Instruction Fuzzy Hash: 1CD05EE964308082FF443AE8E4B17C661998F54213FC842A3BD4489187F72DCAD195B5
                                                              Function 50003A58 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@FillChar$qqrpvib.RTL120 ref: 50003A6A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Char$qqrpvibFillSystem@@
                                                              • String ID: <JP$jP
                                                              • API String ID: 4121559260-1976356052
                                                              • Opcode ID: 1df4666b6065bb4c860eebf29b90c5e0bf618a6166f25d08af580d2d2a1666dc
                                                              • Instruction ID: 29e72c1258d551b32b7b75072670d586078dfe44cbfcda950a95c9ee85119c78
                                                              • Opcode Fuzzy Hash: 1df4666b6065bb4c860eebf29b90c5e0bf618a6166f25d08af580d2d2a1666dc
                                                              • Instruction Fuzzy Hash: 46416D71604B41CFE361DFADD89470AB7E0EF94228F44CB2EE589CB652E734E8448B46
                                                              Function 50003838 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@FillChar$qqrpvib.RTL120 ref: 5000384A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Char$qqrpvibFillSystem@@
                                                              • String ID: <JP$jP
                                                              • API String ID: 4121559260-1976356052
                                                              • Opcode ID: 36264c1cf101ac4c8ec33a34441a950c0984b743827c9545f83337dbb8638ebb
                                                              • Instruction ID: 0b5a206ebe67b66b8e3c020c356c1e6d665bc0067f7b04b9bcba261746849486
                                                              • Opcode Fuzzy Hash: 36264c1cf101ac4c8ec33a34441a950c0984b743827c9545f83337dbb8638ebb
                                                              • Instruction Fuzzy Hash: 60319071605B818FE366CFADD894749B7E8FF50624F94C369E5588B252DB70EC01CB81
                                                              Function 50021580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@FPower10$qqrv.RTL120 ref: 50021606
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Power10$qqrvSystem@
                                                              • String ID: +$-
                                                              • API String ID: 140778524-2137968064
                                                              • Opcode ID: 32b8098c721a4e46187648da88f365d788b2412693a4c3184540e22e5d6e62b9
                                                              • Instruction ID: 331eab40c37fd92a1dba551ef5550b3055afbfd15106153d872e105f9a111e51
                                                              • Opcode Fuzzy Hash: 32b8098c721a4e46187648da88f365d788b2412693a4c3184540e22e5d6e62b9
                                                              • Instruction Fuzzy Hash: 8B21C910E0B0D76EE72016A8F8487DEBFE59F31620F6C0B9BD8C483243D9308D828790
                                                              Function 50021408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@FPower10$qqrv.RTL120(00000000,00000000,?,00000000), ref: 5002148D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Power10$qqrvSystem@
                                                              • String ID: +$-
                                                              • API String ID: 140778524-2137968064
                                                              • Opcode ID: cf31913889536f98ca9fe7bf4674e760db0a12c29d842ff9dc99d359c51be7e3
                                                              • Instruction ID: fa1cfcb7d4169ee6ed92dfde316ec9fe3663952840befaa7f587ccd8d0985425
                                                              • Opcode Fuzzy Hash: cf31913889536f98ca9fe7bf4674e760db0a12c29d842ff9dc99d359c51be7e3
                                                              • Instruction Fuzzy Hash: F5110211E0B0C769E72136A5F8407DEBBE5AB71724F6C0B9BD4CC86242D9298E8287D0
                                                              Function 50004610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000467A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Length$qqrr20StringiSystem@System@@Unicode
                                                              • String ID: $"
                                                              • API String ID: 1238308113-3817095088
                                                              • Opcode ID: 3740d5a8882292424296d33065260b11a727ea2989f92afca789f2fadf23aca0
                                                              • Instruction ID: a4110a0b3ab76dcf93db08b7b91ce8b4ca9335338cd7ea686d5f75d583f17b04
                                                              • Opcode Fuzzy Hash: 3740d5a8882292424296d33065260b11a727ea2989f92afca789f2fadf23aca0
                                                              • Instruction Fuzzy Hash: B211E9C3E011A085F7B42700D8322E722E2EB93B517EA0356CC80CB656F2A34C91D55F
                                                              Function 50028BD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetThreadLocale.KERNEL32 ref: 50028BF6
                                                              • GetSystemMetrics.USER32(0000004A), ref: 50028C47
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocaleMetricsSystemThread
                                                              • String ID: HlP
                                                              • API String ID: 3035471613-2947359988
                                                              • Opcode ID: b0f5541512791debc26a8671445bd5c5934f552fcd55d97c6b110629674566dc
                                                              • Instruction ID: 10459d71cf64cf038303f9a9cea68570e56e651b364d0c8a3b35f290a598fd13
                                                              • Opcode Fuzzy Hash: b0f5541512791debc26a8671445bd5c5934f552fcd55d97c6b110629674566dc
                                                              • Instruction Fuzzy Hash: 9A012D741072D28EEB108F65F88536277E89B51254F24C2ABDD489F287DB39C846C7B5
                                                              Function 5001BB80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesExW), ref: 5001BB8D
                                                                • Part of subcall function 5000E884: GetProcAddress.KERNEL32(?,?), ref: 5000E8A8
                                                                • Part of subcall function 5000E884: @System@@LStrClr$qqrpv.RTL120(5000E8EE,?,?,00000000), ref: 5000E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressClr$qqrpvHandleModuleProcSystem@@
                                                              • String ID: GetFileAttributesExW$kernel32.dll
                                                              • API String ID: 3679075934-3171891112
                                                              • Opcode ID: 33b27a9e80b64f9f74edf5c1de5c6d6a4e39c05bd2065b4b5f612ff5d03c5c33
                                                              • Instruction ID: e514f51dd8fb537dfb01239488a6553f3399445b9a4cbebaef623d1d0cc912b9
                                                              • Opcode Fuzzy Hash: 33b27a9e80b64f9f74edf5c1de5c6d6a4e39c05bd2065b4b5f612ff5d03c5c33
                                                              • Instruction Fuzzy Hash: 3AE04F71445288AFD700EF94ED44FAA379CBB98210F408D0BF60987510CB74D482CBA0
                                                              Function 50005D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@RewritText$qqrr15System@TTextRec.RTL120(?,50005E83), ref: 50005D80
                                                              • @System@SetInOutRes$qqri.RTL120(?,50005E83), ref: 50005D99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Res$qqriRewritSystem@@TextText$qqrr15
                                                              • String ID: 0CP
                                                              • API String ID: 2995044334-842509658
                                                              • Opcode ID: 307c06a35ed04e922cfdbbcf6000164576624c71684b84ee2fc310da7f03048e
                                                              • Instruction ID: eabc5bede8330fcccc3b4369240e300fe8af7b4666d213e9db6d5ee23a722cab
                                                              • Opcode Fuzzy Hash: 307c06a35ed04e922cfdbbcf6000164576624c71684b84ee2fc310da7f03048e
                                                              • Instruction Fuzzy Hash: A8D02B453073C08AFB206FF438E010482A05F88002784CB67EC45CB247E569C9405326
                                                              Function 50005454 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @System@@ResetText$qqrr15System@TTextRec.RTL120(?,5000549E,?,500050BF), ref: 5000546C
                                                              • @System@SetInOutRes$qqri.RTL120(?,5000549E,?,500050BF), ref: 50005485
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1878332843.0000000050001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 50000000, based on PE: true
                                                              • Associated: 0000001F.00000002.1878291179.0000000050000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879276252.000000005009C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879309851.000000005009D000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879389781.00000000500AA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879421137.00000000500AB000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.00000000500FD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000001F.00000002.1879458114.0000000050113000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_50000000_IUService.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: System@$Res$qqriResetSystem@@TextText$qqrr15
                                                              • String ID: `@P
                                                              • API String ID: 3749152163-4219215009
                                                              • Opcode ID: 474c6b335946cc709f9bfe439fa6d2f0613b7dda503e967d2b86d165faebaa74
                                                              • Instruction ID: 3488a2e08867437c2cb3a72290a42c38b3174c830ac736cddd9b2ab7f76a7471
                                                              • Opcode Fuzzy Hash: 474c6b335946cc709f9bfe439fa6d2f0613b7dda503e967d2b86d165faebaa74
                                                              • Instruction Fuzzy Hash: B8D05E897472D08ABB40AFF828F029495A05B48152B84D667FD84CB253E659CA549365